CVE-2024-4157

CVE-2024-4157 covers a PHP Object Injection vulnerability in the WordPress plugin “Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder.” All versions up to and including 5.1.15 are affected via deserialization in the extractDynamicValues function. Exploitation re...

WordPress plugin Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress plugin Contact Form Plugin by...

Order Export & Order Import for WooCommerce < 2.5.0 - Authenticated (Administrator+) PHP Object Injection

Description The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.9 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above,...

One Click Demo Import < 3.2.1 - Authenticated (Admin+) PHP Object Injection

Description The One Click Demo Import plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Objec...

CVE-2024-4733

The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to inje...

CVE-2024-4733 ShiftController Employee Shift Scheduling <= 4.9.57 - Authenticated (Contributor+) PHP Object Injection

The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to inje...

CVE-2024-4733

CVE-2024-4733 affects ShiftController Employee Shift Scheduling WordPress plugin. Some versions up to 4.9.57 are vulnerable to PHP Object Injection via deserialization of untrusted input in the hc3_session cookie, exploitable by an authenticated attacker with contributor+ privileges to inject a P...

CVE-2024-4733 ShiftController Employee Shift Scheduling <= 4.9.57 - Authenticated (Contributor+) PHP Object Injection

The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to inje...

CVE-2024-4838

The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settingsencoded' attribute of the 'smilemodal' shortcode. This makes it possible for authenticated attackers, with...

CVE-2024-4838 ConvertPlus <= 3.5.26 - Authenticated (Contributor+) PHP Object Injection

The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settingsencoded' attribute of the 'smilemodal' shortcode. This makes it possible for authenticated attackers, with...

CVE-2024-4838

CVE-2024-4838 - ConvertPlus (WordPress) : A PHP Object Injection exists in all versions up to 3.5.26 via deserialization of untrusted input from the settings_encoded attribute of the smile_modal shortcode. Exploitation requires at least contributor-level authentication; there is no POP chain by d...

CVE-2024-4838 ConvertPlus <= 3.5.26 - Authenticated (Contributor+) PHP Object Injection

The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settingsencoded' attribute of the 'smilemodal' shortcode. This makes it possible for authenticated attackers, with...

WordPress ShiftController Employee Shift Scheduling Plugin <= 4.9.57 is vulnerable to PHP Object Injection

Software ShiftController Employee Shift Scheduling Type Plugin Vulnerable versions = 4.9.57 Fixed in 4.9.58 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-4733 Patch priority Medium CVSS severity Medium 8.5 Developer Claim ownership PSID c137dcbad43b Credits Peter...

ShiftController Employee Shift Scheduling < 4.9.58 - Authenticated (Contributor+) PHP Object Injection

Description The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or...

WordPress Plugin ConvertPlus 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-4010

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handleajaxrequest function in all versions up to, and including, 5.7.19. This makes it possible for...

CVE-2024-4010 Email Subscribers by Icegram Express <= 5.7.19 - Missing Authorization in handle_ajax_request

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handleajaxrequest function in all versions up to, and including, 5.7.19. This makes it possible for...

CVE-2024-4010

CVE-2024-4010 affects the WordPress plugin Email Subscribers by Icegram Express (all versions up to 5.7.19). The root cause is a missing capability check in handle_ajax_request, enabling authenticated users with subscriber-level access and above to perform unauthorized actions that compromise con...

Ultimate Store Kit Elementor Addons <= 1.6.2 - Unauthenticated PHP Object Injection

Description The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.2 via deserialization of untrusted...

ConvertPlus < 3.5.26.1 - Authenticated (Contributor+) PHP Object Injection

Description The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settingsencoded' attribute of the 'smilemodal' shortcode. This makes it possible for authenticated attackers, with...