Deserialization of untrusted data

2023-06-0702:15:00

PRIOn knowledge base

www.prio-n.com

deserialization untrusted data

php object injection

wordpress

vulnerable plugin

9.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.2%

JSON

The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.

CPENameOperatorVersion
ultimate_reviewsle2.1.32

CPE	Name	Operator	Version
	ultimate_reviews	le	2.1.32

References

blog.nintechnet.com/wordpress-ultimate-reviews-plugin-fixed-insecure-deserialization-vulnerability/

plugins.trac.wordpress.org/changeset/2409141

www.wordfence.com/threat-intel/vulnerabilities/id/db30acd7-ce51-45d9-8ff0-6ceea8237a8c?source=cve