Lucene search

[email protected]NVD:CVE-2023-28667

HistoryMar 22, 2023 - 9:15 p.m.

CVE-2023-28667

2023-03-2221:15:19

CWE-502

[email protected]

web.nvd.nist.gov

wordpress

plugin

insecure deserialization

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

58.0%

JSON

The Lead Generated WordPress Plugin, version <= 1.23, was affected by an unauthenticated insecure deserialization issue. The tve_labels parameter of the tve_api_form_submit action is passed to the PHP unserialize() function without being sanitized or verified, and as a result could lead to PHP object injection, which when combined with certain class implementations / gadget chains could be leveraged to perform a variety of malicious actions granted a POP chain is also present.

Affected configurations

Nvd

Node

leadgeneratedlead_generatedRange<1.25wordpress

VendorProductVersionCPE
leadgeneratedlead_generated*cpe:2.3:a:leadgenerated:lead_generated:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
leadgenerated	lead_generated	*	cpe:2.3:a:leadgenerated:lead_generated::::::wordpress::*

References

www.tenable.com/security/research/tra-2023-7

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

58.0%

JSON

Related for NVD:CVE-2023-28667

cve1 cvelist1 prion1 openvas1