CVE-2025-14071 Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode

The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslcmodulepostsoutput shortcode. This makes it possible for authenticated attackers, with...

CVE-2017-20208

CVE-2017-20208 affects the WordPress plugin RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login. All versions up to 3.7.9.3 are vulnerable to PHP Object Injection via deserialization of untrusted input from the is_expired_by_date() function. This allows unaut...

EUVD-2025-28798

Malicious code in bioql PyPI...

EUVD-2025-8124

Malicious code in bioql PyPI...

CVE-2025-7825

CVE-2025-7825 affects Schema Plugin For Divi, Gutenberg & Shortcodes (WordPress) up to version 4.3.2. The flaw is Object Instantiation via deserialization of untrusted input through the wpt_schema_breadcrumbs shortcode. Exploitation requires authenticated access at Contributor level or higher; th...

LlamaIndex has Incomplete Documentation of Program Execution related to JsonPickleSerializer component

Incomplete Documentation of Program Execution exists in the run-llama/llamaindex library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer...

CVE-2024-13899

The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the fImportMenu function. This makes it possible for authenticated attackers, with Administrator-level access a...

PT-2024-18444 · WordPress · Carousel Slider & Grid Ultimate

Name of the Vulnerable Software and Affected Versions: The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress versions up to, and including, 1.9.7 Description: The issue allows authenticated attackers with contributor access and above to inject a PHP Object via...

CVE-2023-39396

Deserialization vulnerability in the input module. Successful exploitation of this vulnerability may affect availability...

CVE-2019-10068

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to...

PHP 'exception::getTraceAsString' type obfuscation vulnerability

PHP is a general-purpose scripting language. A type-obfuscation vulnerability in PHP exception::getTraceAsString when handling input from deserialization constructs allows remote attackers to exploit the vulnerability to obtain information about an application's leaked memory or execute arbitrary...