3784 matches found
GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...
My Geo Posts Free <= 1.2 - PHP Object Injection
The My Geo Posts Free plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If ...
CVE-2026-12583
Summary: The Newsletters WordPress plugin before 4.15 is vulnerable to unauthenticated PHP object injection via a subscriber custom field. Deserialization of untrusted input stored through a public form enables an attacker to write arbitrary files and execute code on the server via a gadget chain...
EUVD-2026-43286
The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...
CVE-2026-59521
The CVE-2026-59521 issue affects the WordPress Real Testimonials plugin (testimonial-free) by Deserialization of Untrusted Data, enabling PHP object injection in versions
CVE-2026-57713
CVE-2026-57713 : The WordPress Plugins Events Manager (events-manager ) is affected up to version 7.3.6. The issue is a PHP Object Injection caused by deserialization of untrusted data, enabling object injection. The affected component is the Events Manager plugin for WordPress; root cause is des...
CVE-2026-12081
The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...
Better Search Replace < 1.4.5 - PHP Object Injection
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...
GiveWP - PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'givetitle' parameter. id: CVE-2024-5932 info: name: GiveWP - PHP Object Injection author:...
CVE-2026-55803 Drupal core - Critical - PHP object injection - SA-CORE-2026-005
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...
CVE-2026-13244
CVE-2026-13244 affects the Drupal integration module Tealium iQ Tag Management. The issue arises from how the module stores data in the PHP-serialized field tealiumiq, which can lead to an Object Injection vulnerability when serialized data is unserialized. Affected versions are Tealium iQ Tag Ma...
CVE-2026-55810
The CVE-2026-55810 issue affects Drupal Plotly.js Graphing, with PHP object injection via unserialization in the Plotly.js Graphing module. Concrete details from connected sources: vulnerable versions 0.0.0 through 3.0.2; attacker must have permission to edit a content entity containing the plotl...
CVE-2026-55810 Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2...
CVE-2026-12535
CVE-2026-12535 concerns the Drupal Formatter Field module, where the vulnerability arises from storing data as PHP-serialized strings and exposing a risk of object injection when malicious data is written to the formatter_field. The affected versions span 0.0.0 through 2.0.0. The root cause invol...
EUVD-2026-42903
Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...
PT-2026-57368
Name of the Vulnerable Software and Affected Versions ps facetedsearch versions 3.0.0 through 4.0.3 Description A PHP Object Injection issue exists in the ps facetedsearch module. The module rebuilds search filters from the request URL, but the values for slider filters, specifically price or...
PT-2026-56958
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through = 1.5...
PT-2026-56962
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CodexThemes TheGem Theme Elements for Elementor thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements for Elementor: from n/a through...
PT-2026-56948
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in jwsthemes Aqua aqua allows PHP Local File Inclusion.This issue affects Aqua: from n/a through = 5.1.2...
PT-2026-56959
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through = 2.1...