CVE-2024-10587 Funnelforms Free <= 3.7.5.1 - Authenticated (Contributor+) PHP Object Injection

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.7.5.1 via deserialization of untrusted input. This makes it possible for authenticated attackers,...

WordPress Welcart e-Commerce plugin <= 1.9.35 - Authenticated PHP Object Injection vulnerability

Authenticated PHP Object Injection vulnerability found by Ramuel Gall in WordPress Welcart e-Commerce plugin versions = 1.9.35. Solution Update the WordPress Welcart e-Commerce plugin to the latest available version at least 1.9.36...

Newsletter < 6.8.2 - Authenticated PHP Object Injection

The ‘restoreoptionsfromrequest‘ function called by the AJAX function ‘tnpcrendercallback‘ runs ‘unserialize’ directly on ‘$options'inlineedits'’ which is provided by user input in the $POST‘options’ parameter. This creates the potential for an Object Injection vulnerability. For example, a user...

Splashing Images <= 2.1 - Authenticated PHP Object Injection

The Splashing Images WordPress plugin was affected by an Authenticated PHP Object Injection security vulnerability...