Lucene search

TenableCVE-2023-28667

HistoryMar 22, 2023 - 9:15 p.m.

CVE-2023-28667

2023-03-2221:15:19

CWE-502

tenable

web.nvd.nist.gov

lead generated

wordpress plugin

cve-2023-28667

insecure deserialization

php object injection

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

58.0%

JSON

The Lead Generated WordPress Plugin, version <= 1.23, was affected by an unauthenticated insecure deserialization issue. The tve_labels parameter of the tve_api_form_submit action is passed to the PHP unserialize() function without being sanitized or verified, and as a result could lead to PHP object injection, which when combined with certain class implementations / gadget chains could be leveraged to perform a variety of malicious actions granted a POP chain is also present.

Affected configurations

Nvd

Node

leadgeneratedlead_generatedRange<1.25wordpress

VendorProductVersionCPE
leadgeneratedlead_generated*cpe:2.3:a:leadgenerated:lead_generated:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
leadgenerated	lead_generated	*	cpe:2.3:a:leadgenerated:lead_generated::::::wordpress::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Lead Generated WordPress Plugin",
    "versions": [
      {
        "version": "<= 1.23",
        "status": "affected"
      }
    ]
  }
]

References

www.tenable.com/security/research/tra-2023-7

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

58.0%

JSON

Related for CVE-2023-28667