CVE-2023-28667

2023-03-2200:00:00

tenable

www.cve.org

wordpress

plugin

insecure deserialization

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

58.0%

JSON

The Lead Generated WordPress Plugin, version <= 1.23, was affected by an unauthenticated insecure deserialization issue. The tve_labels parameter of the tve_api_form_submit action is passed to the PHP unserialize() function without being sanitized or verified, and as a result could lead to PHP object injection, which when combined with certain class implementations / gadget chains could be leveraged to perform a variety of malicious actions granted a POP chain is also present.

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Lead Generated WordPress Plugin",
    "versions": [
      {
        "version": "<= 1.23",
        "status": "affected"
      }
    ]
  }
]

References

www.tenable.com/security/research/tra-2023-7