Deserialization of untrusted data

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used t...

BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization

The plugin does not validate the url parameter of its uploadimagefromurl AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well PoC 1. Create a malicious phar file. 2...

BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization

The plugin does not validate the url parameter of its uploadimagefromurl AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well 1. Create a malicious phar file. 2. Upload t...

CVE-2023-26326

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used t...

CVE-2023-26326

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used t...

PT-2023-20614 · WordPress · Buddyforms

Name of the Vulnerable Software and Affected Versions: BuddyForms WordPress plugin versions prior to 2.7.8 Description: The issue is related to an unauthenticated insecure deserialization problem. An attacker could exploit this to call files using a PHAR wrapper, which deserializes data and calls...

CVE-2023-26326

CVE-2023-26326 affects the BuddyForms WordPress plugin, versions before 2.7.8. The vulnerability is an unauthenticated insecure deserialization due to how buddyforms_upload_image_from_url handles input, permitting a PHAR wrapper to deserialize data and invoke arbitrary PHP objects. This can enabl...

WordPress Plugin BuddyForms 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

WordPress BuddyForms Plugin <= 2.7.7 is vulnerable to PHP Object Injection

Software BuddyForms Type Plugin Vulnerable versions = 2.7.7 Fixed in 2.7.8 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE N/A Patch priority High CVSS severity High 5.4 Developer Claim ownership PSID 2e9e362a10ab Credits WordFence Required privilege Subscriber Published 21...

WordPress BuddyForms plugin <= 2.7.2 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in the WordPress BuddyForms plugin versions = 2.7.2. Solution No patched version is available...

WordPress BuddyForms plugin <= 2.6.2 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress BuddyForms plugin versions = 2.6.2. Solution Update the WordPress BuddyForms plugin to the latest available version at least 2.6.3...

WordPress BuddyForms plugin <= 2.6.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress BuddyForms plugin versions = 2.6.2. Solution Update the WordPress BuddyForms plugin to the latest available version at least 2.6.3...

WordPress BuddyForms EasyPin plugin <= 1.0.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress BuddyForms EasyPin plugin versions = 1.0.1. Solution No patched version available...

WordPress BuddyForms EasyPin plugin <= 1.0.1 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress BuddyForms EasyPin plugin versions = 1.0.1. Solution No patched version available...

WordPress buddyforms plugin SQL injection vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A SQL injection vulnerability exists in WordPress buddyforms plugin versions prior to 2.2.8, which can be exploited by...

CVE-2018-21003

The buddyforms plugin before 2.2.8 for WordPress has SQL injection...

CVE-2018-21003

The buddyforms plugin before 2.2.8 for WordPress has SQL injection...

Sql injection

The buddyforms plugin before 2.2.8 for WordPress has SQL injection...

CVE-2018-21003

The CVE-2018-21003 entry concerns the WordPress BuddyForms plugin prior to version 2.2.8, which is vulnerable to SQL injection. The affected component is the BuddyForms plugin (WordPress integration); root cause reported is SQL injection. Impact is described in the initial data as high severity (...

CVE-2018-21003

The buddyforms plugin before 2.2.8 for WordPress has SQL injection...