Deserialization of untrusted data

2023-06-0702:15:00

PRIOn knowledge base

www.prio-n.com

deserialization

untrusted data

wordpress

newsletter manager

vulnerability

php object injection

9.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.0%

JSON

The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the ‘customFieldsDetails’ parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.

CPENameOperatorVersion
newsletter_managerle1.5.1

CPE	Name	Operator	Version
	newsletter_manager	le	1.5.1

References

blog.nintechnet.com/insecure-deserialization-vulnerability-in-wordpress-newsletter-manager-plugin-unpatched/

wpscan.com/vulnerability/b82124b1-e5e1-4f1e-9513-90474fd3f066

www.wordfence.com/threat-intel/vulnerabilities/id/dcfd8c4d-d48b-468d-a7d5-1ec05b068f79?source=cve