3729 matches found
CVE-2026-10749
CVE-2026-10749 affects the Post Duplicator WordPress plugin (pre-3.0.15). The vulnerability arises from improper handling of custom metadata during post duplication, storing attacker-supplied serialized values without the WordPress meta API double-serialization protection, enabling PHP Object inj...
CVE-2026-10749 Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP...
EUVD-2026-38694
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP...
Better Search Replace < 1.4.5 - PHP Object Injection
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. I...
GiveWP - PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'givetitle' parameter. id: CVE-2024-5932 info: name: GiveWP - PHP Object Injection author:...
GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...
My Geo Posts Free <= 1.2 - PHP Object Injection
The My Geo Posts Free plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If ...
EUVD-2025-210258
Unauthenticated PHP Object Injection in Plumbing = 1.6 versions...
EUVD-2026-37607
Unauthenticated PHP Object Injection in AI Lab 5.4.2 versions...
CVE-2026-40757
Unauthenticated PHP Object Injection in Château = 1.2.1 versions...
CVE-2026-40756
Unauthenticated PHP Object Injection in Zoya = 1.4 versions...
CVE-2026-39576
Unauthenticated PHP Object Injection in SingleMalt = 1.5 versions...
CVE-2026-39560
Unauthenticated PHP Object Injection in Hiroshi = 1.5.1 versions...
CVE-2025-69127
Unauthenticated PHP Object Injection in Plumbing = 1.6 versions...
CVE-2025-69130
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme = 3.1.3 versions...
CVE-2025-60236 WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5...
CVE-2026-54194
Contributor PHP Object Injection in Fusion Builder = 3.15.4 versions...
CVE-2026-49107
Unauthenticated PHP Object Injection in Thrive Apprentice 10.8.10.2 versions...
CVE-2026-42380
Unauthenticated PHP Object Injection in AI Lab 5.4.2 versions...
CVE-2026-40759
Unauthenticated PHP Object Injection in Esmée = 1.4 versions...