Lucene search
TenableCVELIST:CVE-2023-26326HistoryFeb 23, 2023 - 12:00 a.m.
CVE-2023-26326
2023-02-2300:00:00
tenable
www.cve.org
buddyforms
wordpress
unauthenticated
insecure deserialization
phar wrapper
arbitrary php objects
malicious actions
pop chain
The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
CNA Affected
[
{
"vendor": "n/a",
"product": "BuddyForms WordPress Plugin",
"versions": [
{
"version": "All versions prior to version 2.7.8",
"status": "affected"
}
]
}
]Related
nvd
nvd
CVE-2023-26326
2023-02-23 20:15:14
cve
cve
CVE-2023-26326
2023-02-23 20:15:14
openvas
openvas
WordPress BuddyForms Plugin < 2.7.8 Object Injection Vulnerability
2023-08-23 00:00:00
prion
prion
Deserialization of untrusted data
2023-02-23 20:15:00
wpexploit
wpexploit
BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
2023-02-23 00:00:00
wpvulndb
wpvulndb
BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
2023-02-23 00:00:00
wordfence
wordfence