Better Search Replace < 1.4.5 - PHP Object Injection

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...

My Geo Posts Free <= 1.2 - PHP Object Injection

The My Geo Posts Free plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If ...

SEOPress < 7.9 - Authentication Bypass

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present. id:...

GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...

SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...

Revive Adserver 4.2 - Remote Code Execution

Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g...

DRUPAL-CORE-2026-005

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain...

EUVD-2025-210259

Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme = 3.1.3 versions...

EUVD-2025-210253

Unauthenticated PHP Object Injection in Reisen = 1.4.1 versions...

EUVD-2025-210258

Unauthenticated PHP Object Injection in Plumbing = 1.6 versions...

EUVD-2026-37628

Unauthenticated PHP Object Injection in JetEngine = 3.8.10 versions...

EUVD-2026-37642

Unauthenticated PHP Object Injection in WP Activity Log = 5.6.3.1 versions...

EUVD-2026-37622

Unauthenticated PHP Object Injection in Thrive Apprentice 10.8.10.2 versions...

EUVD-2026-37617

Contributor PHP Object Injection in JetEngine = 3.8.9.1 versions...

EUVD-2026-37597

Unauthenticated PHP Object Injection in Reina = 2.1 versions...

EUVD-2026-37602

Unauthenticated PHP Object Injection in EasyMeals = 1.5.1 versions...

EUVD-2026-37607

Unauthenticated PHP Object Injection in AI Lab 5.4.2 versions...

EUVD-2026-37594

Unauthenticated PHP Object Injection in WooCommerce Product Filters 2.0.6 versions...

EUVD-2026-37676

Unauthenticated PHP Object Injection in Mildhill = 1.5 versions...

EUVD-2026-37673

Unauthenticated PHP Object Injection in Zermatt = 1.6.1 versions...