All in one demo Export/Import - Insecure deserialization
Summary
| Name | All in one demo Export/Import trun - Insecure deserialization |
| Code name | skims-0020 |
| Product | All in one demo Export/Import |
| Affected versions | Version trun |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Insecure deserialization |
| Rule | Insecure deserialization |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U |
| CVSSv4 Base Score | 1.7 (Low) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31298 |
Description
All in one demo Export/Import trun was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/class-aiodie-core.php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in All in one demo Export/Import trun. The following is the output of the tool:
Skims output
657 | static private function _import( $wp_customize )
658 | {
659 | // Make sure we have a valid nonce.
660 | if ( ! wp_verify_nonce( $_REQUEST['aiodie-import'], 'aiodie-importing' ) ) {
661 | return;
662 | }
663 | // Make sure WordPress upload support is loaded.
664 | if ( ! function_exists( 'wp_handle_upload' ) ) {
665 | require_once( ABSPATH . 'wp-admin/includes/file.php' );
666 | }
667 | // Load the export/import option class.
668 | require_once AIODIE_PLUGIN_DIR . 'classes/class-aiodie-option.php';
669 |
670 | // Setup global vars.
671 | global $wp_customize;
672 | global $cei_error;
673 |
674 | // Setup internal vars.
675 | $cei_error = false;
676 | $template = get_template();
677 | // for the posts content
678 | // $category = (array) get_categories( array( 'get' => 'all' ) );
679 | // $post = get_posts();
680 | // $page = get_pages();
681 | // $comment = get_comments();
682 | // $menu = get_terms('nav_menu');
683 | // $tags = get_tags(array('get'=>'all'));
684 |
685 | $overrides = array( 'test_form' => false, 'test_type' => false, 'mimes' => array('dat' => 'text/plain') );
686 | $file = wp_handle_upload( $_FILES['aiodie-import-file'], $overrides );
687 | // Make sure we have an uploaded file.
688 | if ( isset( $file['error'] ) ) {
689 | $cei_error = $file['error'];
690 | return;
691 | }
692 | if ( ! file_exists( $file['file'] ) ) {
693 | $cei_error = __( 'Error importing settings! Please try again.', 'all-in-one-demo-import-export' );
694 | return;
695 | }
696 | // Get the upload data.
697 | $raw = file_get_contents( $file['file'] );
> 698 | $data = @unserialize( $raw );
699 |
700 | // Loop through the mods.
701 | // Remove the uploaded file.
702 | unlink( $file['file'] );
703 |
704 | // Data checks.
705 | if ( 'array' != gettype( $data ) ) {
706 | $cei_error = __( 'Error importing settings! Please check that you uploaded a customizer export file.', 'all-in-one-dem
707 | return;
708 | }
709 |
710 | if ( isset( $data['template'] )) {
711 |
712 | }
713 | if( isset( $data['mods'] )){
714 |
715 | }
716 |
717 | // if ( $data['template'] != $template ) {
718 |
719 | // }
720 | //Import images.
721 | if ( isset( $_REQUEST['aiodie-import-images'] ) ) {
722 | $data['mods'] = self::_import_images( $data['mods'] );
723 | }
724 |
725 | if ( isset( $data['post'] ) ) {
726 | /* code for upload the post */
727 | $postid = array();
728 | foreach ($data['post'] as $key => $lesson) {
729 | $post_id = $lesson->ID;
730 | $post_title = $lesson->post_title;
731 | $post_author = $lesson->post_author;
732 | $post_content = $lesson->post_content;
733 | $post_type = $lesson->post_type;
734 | $post_status = $lesson->post_status;
735 | $check_title=get_page_by_title($post_title, 'OBJECT', 'post');
736 |
737 | if (empty($check_title) ){
738 | $my_post = array(
739 | 'post_title' => $post_title,
740 | 'post_content' => $post_content,
741 | 'post_status' => $post_status,
742 | 'post_author' => $post_author,
743 | 'post_type' => $post_type,
744 | );
745 | $post_insert = wp_insert_post( $my_post );
746 | }else{
747 | $my_post = array(
748 | 'ID' => $check_title->ID,
749 | 'post_title' => $post_title,
750 | 'post_content' => $post_content,
751 | 'post_status' => $post_status,
752 | 'post_author' => $post_author,
753 | 'post_type' => $post_type,
754 | );
755 | $post_insert = wp_update_post( $my_post );
756 | }
757 |
758 | if (isset($data['tags_input'])){
759 | wp_set_post_tags($post_insert, $data['tags_input'][$post_id], true);
760 | }
761 |
762 | if (isset($data['custom_fields'])){
763 |
764 | $customdata = $data['custom_fields'][$post_id];
765 |
766 | foreach($customdata as $metakey => $metavalue){
767 | foreach($metavalue as $value){
768 | add_post_meta( $post_insert, $metakey, $value, true );
769 |
770 | }
771 | }
772 | }
773 |
774 | // Need to require these files
775 | if ( !function_exists('media_handle_upload') ) {
776 | require_once(ABSPATH . ""wp-admin"" . '/includes/image.php');
777 | require_once(ABSPATH . ""wp-admin"" . '/includes/file.php');
778 | require_once(ABSPATH . ""wp-admin"" . '/includes/media.php');
779 | }
780 |
781 | $url = $data['post_attachment'][$post_id];
782 | $tmp = download_url( $url );
783 | if( is_wp_error( $tmp ) ){
784 | // download failed, handle error
785 | }
786 | $postpid = $post_insert;
787 |
788 | $desc = ""The WordPress Logo"";
789 | $file_array = array();
790 |
791 | // Set variables for storage
792 | // fix file filename for query strings
793 | preg_match('/[^?]+\.(jpg|jpe|jpeg|gif|png)/i', $url, $matches);
794 | $file_array['name'] = basename($matches[0]);
795 | $file_array['tmp_name'] = $tmp;
796 |
797 | // If error storing temporarily, unlink
798 | if ( is_wp_error( $tmp ) ) {
799 | @unlink($file_array['tmp_name']);
800 | $file_array['tmp_name'] = '';
801 | }
802 |
803 | // do the validation and storage stuff
804 | $id = media_handle_sideload( $file_array, $postpid, $desc );
805 |
806 | // If error storing permanently, unlink
807 | if ( is_wp_error($id) ) {
808 | @unlink($file_array['tmp_name']);
809 | return $id;
810 | }
811 |
812 | $attachments = get_posts(array('numberposts' => '1', 'post_parent' => $postpid, 'post_type' => 'attachment', 'post_mi
813 |
814 | if(sizeof($attachments) > 0){
815 | // set image as the post thumbnail
816 | set_post_thumbnail($postpid, $attachments[0]->ID);
817 | }
818 | $postid[$post_id] = $post_insert;
819 | }
820 | }
821 |
822 | if ( isset( $data['page'] ) ) {
823 | /* code for upload the page */
824 | $pageid = array();
825 | foreach ($data['page'] as $key => $lesson) {
826 | $page_id = $lesson->ID;
827 | $post_title = $lesson->post_title;
828 | $post_author = $lesson->post_author;
829 | $post_content = $lesson->post_content;
830 | $post_type = $lesson->post_type;
831 | $post_status = $lesson->post_status;
832 | $check_title=get_page_by_title($post_title, 'OBJECT', 'page');
833 |
834 | //also var_dump($check_title) for testing only
835 | if (empty($check_title) ){
836 | $my_post = array(
837 | 'post_title' => $post_title,
838 | 'post_content' => $post_content,
839 | 'post_status' => $post_status,
840 | 'post_type' => $post_type,
841 | 'post_author' => $post_author,
842 | );
843 | $page_insert = wp_insert_post( $my_post );
844 | }else{
845 | $my_post = array(
846 | 'ID' => $check_title->ID,
847 | 'post_title' => $post_title,
848 | 'post_content' => $post_content,
849 | 'post_status' => $post_status,
850 | 'post_type' => $post_type,
851 | 'post_author' => $post_author,
852 | );
853 | $page_insert = wp_update_post( $my_post );
854 | }
855 |
856 | if(isset($data['custom_fieldspage'])){
857 | $custompagedata = $data['custom_fieldspage'][$page_id];
858 | foreach($custompagedata as $metapagekey => $metapagevalue){
859 | foreach($metapagevalue as $val){
860 | add_post_meta( $page_insert, $metapagekey, $val, true );
861 | }
862 | }
863 | }
864 | // Need to require these files
865 | if ( !function_exists('media_handle_upload') ) {
866 | require_once(ABSPATH . ""wp-admin"" . '/includes/image.php');
867 | require_once(ABSPATH . ""wp-admin"" . '/includes/file.php');
868 | require_once(ABSPATH . ""wp-admin"" . '/includes/media.php');
869 | }
870 | $url = $data['page_attachment'][$page_id];
871 | $tmp = download_url( $url );
872 | if( is_wp_error( $tmp ) ){
873 | // download failed, handle error
874 | }
875 | $pagepid = $page_insert;
876 |
877 | $desc = ""The WordPress Logo"";
878 | $file_array = array();
879 |
880 | // Set variables for storage
881 | // fix file filename for query strings
882 | preg_match('/[^?]+\.(jpg|jpe|jpeg|gif|png)/i', $url, $matches);
883 | $file_array['name'] = basename($matches[0]);
884 | $file_array['tmp_name'] = $tmp;
885 |
886 | // If error storing temporarily, unlink
887 | if ( is_wp_error( $tmp ) ) {
888 | @unlink($file_array['tmp_name']);
889 | $file_array['tmp_name'] = '';
890 | }
891 |
892 | // do the validation and storage stuff
893 | $id = media_handle_sideload( $file_array, $pagepid, $desc );
894 |
895 | // If error storing permanently, unlink
896 | if ( is_wp_error($id) ){
897 | @unlink($file_array['tmp_name']);
898 | return $id;
899 | }
900 |
901 | $attachments = get_posts(array('numberposts' => '1', 'post_parent' => $pagepid, 'post_type' => 'attachment', 'post_mi
902 |
903 | if(sizeof($attachments) > 0){
904 | // set image as the post thumbnail
905 | set_post_thumbnail($pagepid, $attachments[0]->ID);
906 | }
907 |
908 | }
909 |
910 | }
911 |
912 | if ( isset( $data['category'] ) ) {
913 |
914 | if ($data['category'] != ''){
915 | /* code for upload the category */
916 | $category_map = array();
917 | foreach($data['category'] as $key => $lesson){
918 | $category = $lesson->cat_ID;
919 | $term_id = $lesson->term_id;
920 | $cat_name = $lesson->name;
921 | $cat_slug = $lesson->slug;
922 | $taxonomy = $lesson->taxonomy;
923 |
924 | $term = term_exists($cat_name, $taxonomy);
925 | if ($term !== 0 && $term !== null){
926 | $termid = $term['term_id'];
927 | $term = wp_update_term($termid, $taxonomy );
928 |
929 | $category_map[$term_id] = $term['term_id'];
930 | }else{
931 | $term_ins = wp_insert_term($cat_name, $taxonomy, array('slug' => $cat_slug) );
932 | $category_map[$term_id] = $term_ins['term_id'];
933 | }
934 | }
935 |
936 | foreach($postid as $key => $value1){
937 |
938 | $post_categories = $data['post_category'][$key];
939 | $newcat = array();
940 | foreach( $post_categories as $cat){
941 | foreach($data['category'] as $key => $lesson){
942 | $newcat[] = $category_map[$cat];
943 | $term_id = $lesson->term_id;
944 | $taxonomy = $lesson->taxonomy;
945 | if($taxonomy == 'category'){
946 | wp_set_post_categories($value1, $newcat);
947 | }else{
948 | wp_set_post_terms($value1, $newcat, $taxonomy);
949 | }
950 | }
951 | }
952 | }
953 | }
954 | }
955 |
956 | if ( isset( $data['tags'] ) ){
957 | /* code for upload the tags */
958 | $tags_map = array();
959 | foreach($data['tags'] as $key => $lesson){
960 | $term_id = $lesson->term_id;
961 | $tag_name = $lesson->name;
962 | $description = $lesson->description;
963 | $tag_parent = $lesson->parent;
964 | $tag_slug = $lesson->slug;
965 | $term = term_exists($tag_name, 'post_tag');
966 | if ($term !== 0 && $term !== null) {
967 | $termid = $term['term_id'];
968 | $term = wp_update_term($termid, $taxonomy );
969 |
970 | $tags_map[$term_id] = $term['term_id'];
971 | }else{
972 | $term_ins = wp_insert_term($tag_name, 'post_tag', array('slug' => $tag_slug) );
973 | $tags_map[$term_id] = $term_ins['term_id'];
974 | }
975 | }
976 | }
977 | if ( isset( $data['comment'] ) ){
978 | /* code for upload the comment */
979 | foreach($data['comment'] as $key => $lesson){
980 |
981 | $comment_post_ID = $lesson->comment_post_ID;
982 | $comment_author = $lesson->comment_author;
983 | $comment_author_email = $lesson->comment_author_email;
984 | $comment_author_url = $lesson->comment_author_url;
985 | $comment_content = $lesson->comment_content;
986 | $comment_type = $lesson->comment_type;
987 | $comment_parent = $lesson->comment_parent;
988 | $user_id = $lesson->user_id;
989 | $comment_author_IP = $lesson->comment_author_IP;
990 | $comment_agent = $lesson->comment_agent;
991 | $comment_approved = $lesson->comment_approved;
992 | $time = current_time('mysql');
993 |
994 | $comment_data = array(
995 | 'comment_post_ID' => $postid[$comment_post_ID],
996 | 'comment_author' => $comment_author,
997 | 'comment_author_email' => $comment_author_email,
998 | 'comment_author_url' => $comment_author_url,
999 | 'comment_content' => $comment_content,
1000 | 'comment_type' => $comment_type,
1001 | 'comment_parent' => $comment_parent,
1002 | 'user_id' => $user_id,
1003 | 'comment_author_IP' => $comment_author_IP,
1004 | 'comment_agent' => $comment_agent,
1005 | 'comment_date' => $time,
1006 | 'comment_approved' => $comment_approved,
1007 | );
1008 | wp_insert_comment($comment_data);
1009 | }
1010 | }
1011 |
1012 | if ( isset( $data['users'] ) ) {
1013 | /* code for upload the users */
1014 | foreach($data['users'] as $key => $lesson){
1015 | $userlogin = $lesson->user_login;
1016 | $user_id = $lesson->ID;
1017 | if(username_exists( $user_login )){
1018 | //echo '---------';
1019 | // echo ""Username already exists"";
1020 | }else{
1021 | $userdata = array(
1022 | 'user_login' => $userlogin,
1023 | 'user_url' => '',
1024 | 'user_pass' => NULL
1025 | );
1026 | $user_id = wp_insert_user( $userdata );
1027 |
1028 | //On success
1029 | if( !is_wp_error($user_id) ) {
1030 | echo ""User created : "". $user_id;
1031 | }
1032 | }
1033 | }
1034 | }
1035 | if(isset($data['attachment'])){
1036 | /* code for upload the attachment */
1037 | foreach($data['attachment'] as $value){
1038 |
1039 | if ( !function_exists('media_handle_upload') ) {
1040 | require_once(ABSPATH . ""wp-admin"" . '/includes/image.php');
1041 | require_once(ABSPATH . ""wp-admin"" . '/includes/file.php');
1042 | require_once(ABSPATH . ""wp-admin"" . '/includes/media.php');
1043 | }
1044 |
1045 | $url = $value;
1046 | $tmp = download_url( $url );
1047 |
1048 | if( is_wp_error( $tmp ) ){
1049 | // download failed, handle error
1050 | }
1051 | $pagepid = $page_insert;
1052 |
1053 | $desc = ""The WordPress Logo"";
1054 | $file_array = array();
1055 |
1056 | // Set variables for storage
1057 | // fix file filename for query strings
1058 | preg_match('/[^?]+\.(jpg|jpe|jpeg|gif|png)/i', $url, $matches);
1059 | $file_array['name'] = basename($matches[0]);
1060 | $file_array['tmp_name'] = $tmp;
1061 |
1062 | // If error storing temporarily, unlink
1063 | if ( is_wp_error( $tmp ) ) {
1064 | @unlink($file_array['tmp_name']);
1065 | $file_array['tmp_name'] = '';
1066 | }
1067 |
1068 | // do the validation and storage stuff
1069 | $id = media_handle_sideload( $file_array, $pagepid, $desc );
1070 |
1071 | // If error storing permanently, unlink
1072 | if ( is_wp_error($id) ) {
1073 | @unlink($file_array['tmp_name']);
1074 | return $id;
1075 | }
1076 |
1077 | $attachments = get_posts(array('numberposts' => '1', 'post_parent' => $pagepid, 'post_type' => 'attachment', 'post_mi
1078 |
1079 | if(sizeof($attachments) > 0){
1080 | // set image as the post thumbnail
1081 | set_post_thumbnail($pagepid, $attachments[0]->ID);
1082 | }
1083 | }
1084 | }
1085 |
1086 | // Import custom options.
1087 | if ( isset( $data['options'] ) ) {
1088 | foreach ( $data['options'] as $option_key => $option_value ) {
1089 | $option = new AIODIE_Option( $wp_customize, $option_key, array(
1090 | 'default' => '',
1091 | 'type' => 'option',
1092 | 'capability' => 'edit_theme_options'
1093 | ) );
1094 | $option->import( $option_value );
1095 | }
1096 | }
1097 | // If wp_css is set then import it.
1098 | if( function_exists( 'wp_update_custom_css_post' ) && isset( $data['wp_css'] ) && '' !== $data['wp_css'] ) {
1099 | wp_update_custom_css_post( $data['wp_css'] );
1100 | }
1101 |
1102 | // Call the customize_save action.
1103 | do_action( 'customize_save', $wp_customize );
1104 |
1105 | // Loop through the mods.
1106 | if(isset($data['mods'])){
1107 | foreach ( $data['mods'] as $key => $val ) {
1108 |
1109 | // Call the customize_save_ dynamic action.
1110 | do_action( 'customize_save_' . $key, $wp_customize );
1111 | // Save the mod.
1112 | set_theme_mod( $key, $val );
1113 | }
1114 | }
1115 | // Call the customize_save_after action.
1116 | do_action( 'customize_save_after', $wp_customize );
1117 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31298 to refer to this issue from now on.
System Information
- Product: All in one demo Export/Import
- Version: trun
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
