Lucene search
+L

3791 matches found

Nuclei
Nuclei
added yesterday129 views

My Geo Posts Free <= 1.2 - PHP Object Injection

The My Geo Posts Free plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If ...

9.8CVSS8.9AI score0.0307EPSS
Exploits0References4
CVE
CVE
added 2 days ago22 views

CVE-2026-54159

CVE-2026-54159 affects PrestaShop ps_facetedsearch module versions 3.0.0 through 4.0.3. The root cause is trusting the value of slider filters (price/weight) from the request URL, storing it in an internal cache, and deserializing it with PHP’s native unserialize(), enabling a crafted object inje...

10CVSS5.7AI score0.0075EPSS
Exploits0References3
Nuclei
Nuclei
added 2 days ago156 views

GiveWP - PHP Object Injection

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'givetitle' parameter. id: CVE-2024-5932 info: name: GiveWP - PHP Object Injection author:...

10CVSS8.8AI score0.74283EPSS
Exploits11References7
Nuclei
Nuclei
added 2 days ago31 views

GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...

10CVSS9.1AI score0.28931EPSS
Exploits3References4
Nuclei
Nuclei
added 3 days ago20 views

Better Search Replace < 1.4.5 - PHP Object Injection

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...

9.8CVSS7.2AI score0.68047EPSS
Exploits2References2
CVE
CVE
added 3 days ago17 views

CVE-2026-15008

The CVE concerns The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress. All versions up to and including 7.3.1.4 are affected by an arbitrary file deletion vulnerability caused by insufficient file path validation in the fr_token function, enabling...

8.1CVSS6.5AI score0.00582EPSS
Exploits0References7
Cvelist
Cvelist
added 3 days ago41 views

CVE-2026-15008 Uncanny Automator <= 7.3.1.4 - Unauthenticated PHP Object Injection to Arbitrary File Deletion via Forminator Submitted-Field Token

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the frtoken function in all versions up to, and including, 7.3.1.4. This makes it possible for...

8.1CVSS0.00582EPSS
Exploits0References7
CVE
CVE
added 5 days ago18 views

CVE-2026-12583

Summary: The Newsletters WordPress plugin before 4.15 is vulnerable to unauthenticated PHP object injection via a subscriber custom field. Deserialization of untrusted input stored through a public form enables an attacker to write arbitrary files and execute code on the server via a gadget chain...

8.1CVSS6.4AI score0.00326EPSS
Exploits0References1
EUVD
EUVD
added 6 days ago6 views

EUVD-2026-43286

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...

5CVSS6.2AI score0.00139EPSS
Exploits0References2
CVE
CVE
added 6 days ago5 views

CVE-2026-59521

The CVE-2026-59521 issue affects the WordPress Real Testimonials plugin (testimonial-free) by Deserialization of Untrusted Data, enabling PHP object injection in versions

7.2CVSS6.1AI score0.003EPSS
Exploits0References1
CVE
CVE
added 6 days ago12 views

CVE-2026-57713

CVE-2026-57713 : The WordPress Plugins Events Manager (events-manager ) is affected up to version 7.3.6. The issue is a PHP Object Injection caused by deserialization of untrusted data, enabling object injection. The affected component is the Events Manager plugin for WordPress; root cause is des...

8.8CVSS6.1AI score0.00317EPSS
Exploits0References1
NVD
NVD
added 6 days ago4 views

CVE-2026-12081

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...

5CVSS0.00139EPSS
Exploits0References1
OSV
OSV
added 2026/07/10 9:46 p.m.3 views

CVE-2026-55803 Drupal core - Critical - PHP object injection - SA-CORE-2026-005

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...

5.9CVSS6.1AI score0.00215EPSS
Exploits0References5
CVE
CVE
added 2026/07/10 9:46 p.m.25 views

CVE-2026-13244

CVE-2026-13244 affects the Drupal integration module Tealium iQ Tag Management. The issue arises from how the module stores data in the PHP-serialized field tealiumiq, which can lead to an Object Injection vulnerability when serialized data is unserialized. Affected versions are Tealium iQ Tag Ma...

8.1CVSS6.1AI score0.00423EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/10 9:44 p.m.32 views

CVE-2026-55810 Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2...

0.00248EPSS
Exploits0References1
CVE
CVE
added 2026/07/10 9:44 p.m.15 views

CVE-2026-55810

The CVE-2026-55810 issue affects Drupal Plotly.js Graphing, with PHP object injection via unserialization in the Plotly.js Graphing module. Concrete details from connected sources: vulnerable versions 0.0.0 through 3.0.2; attacker must have permission to edit a content entity containing the plotl...

8.1CVSS6.1AI score0.00248EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/07/10 9:44 p.m.4 views

CVE-2026-55810 Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2...

8.1CVSS6.1AI score0.00248EPSS
Exploits0References5
CVE
CVE
added 2026/07/10 9:43 p.m.19 views

CVE-2026-12535

CVE-2026-12535 concerns the Drupal Formatter Field module, where the vulnerability arises from storing data as PHP-serialized strings and exposing a risk of object injection when malicious data is written to the formatter_field. The affected versions span 0.0.0 through 2.0.0. The root cause invol...

9.8CVSS6.1AI score0.00386EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/10 1:58 p.m.8 views

EUVD-2026-42903

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS6.1AI score0.00246EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.7 views

PT-2026-57368

Name of the Vulnerable Software and Affected Versions ps facetedsearch versions 3.0.0 through 4.0.3 Description An unauthenticated PHP Object Injection flaw exists in the ps facetedsearch module. The module rebuilds search filters from the request URL, where values for slider filters, specificall...

10CVSS6AI score0.0075EPSS
Exploits0References12
Rows per page
Query Builder