3726 matches found
CVE-2024-4413
The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugi...
CVE-2024-3954
The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain...
CVE-2024-3070
The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known...
CVE-2024-2290
The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placementslug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in t...
WordPress Order Export & Order Import for WooCommerce Plugin <= 2.4.9 is vulnerable to PHP Object Injection
Software Order Export & Order Import for WooCommerce Type Plugin Vulnerable versions = 2.4.9 Fixed in 2.5.0 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-34751 Patch priority Low CVSS severity Low 4.4 Developer Claim ownership PSID 6a894e737867 Credits Trình Vũ...
Email Subscribers by Icegram Express < 5.7.20 - Missing Authorization in handle_ajax_request
Description The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handleajaxrequest function in all versions up to, and including, 5.7.19. This makes it possible f...
RHEL 5 : squirrelmail (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - squirrelmail: Insufficient escaping of user-supplied data CVE-2017-7692 - squirrelmail: use of unserializ...
CVE-2024-4413 Hotel Booking Lite <= 4.11.1 - Unauthenticated PHP Object Injection
The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugi...
CVE-2024-4413 Hotel Booking Lite <= 4.11.1 - Unauthenticated PHP Object Injection
The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugi...
CVE-2024-4413
The CVE-2024-4413 entry concerns the Hotel Booking Lite plugin for WordPress, vulnerable to unauthenticated PHP Object Injection (deserialization) up to version 4.11.1. The vulnerability could allow an attacker to inject a PHP object; while no POP chain is known in the plugin itself, a POP chain ...
WordPress Hotel Booking Lite Plugin <= 4.11.1 is vulnerable to PHP Object Injection
Software Hotel Booking Lite Type Plugin Vulnerable versions = 4.11.1 Fixed in 4.11.2 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-4413 Patch priority High CVSS severity High 9 Developer Claim ownership PSID f9d7cef7773f Credits Trinh Vu Sonicrrrr Required privilege...
CVE-2024-2290 Advanced Ads – Ad Manager & AdSense <= 1.52.1 - Authenticated (Admin+) PHP Object Injection
The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placementslug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in t...
CVE-2024-2290
CVE-2024-2290 : Advanced Ads – Ad Manager & AdSense for WordPress (up to 1.52.1) is vulnerable to PHP Object Injection via deserialization of untrusted input in the placement_slug parameter. The issue enables authenticated attackers to inject a PHP object. The Red Hat advisory and Wordfence note ...
CVE-2024-2290 Advanced Ads – Ad Manager & AdSense <= 1.52.1 - Authenticated (Admin+) PHP Object Injection
The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placementslug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in t...
CVE-2024-3070 Last Viewed Posts by WPBeginner <= 1.0.0 - Unauthenticated PHP Object Injection
The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known...
CVE-2024-3070 Last Viewed Posts by WPBeginner <= 1.0.0 - Unauthenticated PHP Object Injection
The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known...
CVE-2024-3070
CVE-2024-3070 affects the WordPress plugin Last Viewed Posts by WPBeginner (vulnerable up to 1.0.0). It allows unauthenticated PHP Object Injection via deserialization of the LastViewedPosts cookie. The vendor notes no known POP chain publicly; however, if a POP chain exists via another plugin or...
CVE-2024-3954 Ditty – Responsive News Tickers, Sliders, and Lists <= 3.1.38 - Authenticated (Contributor+) PHP Object Injection
The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain...
CVE-2024-3954
CVE-2024-3954 affects the Ditty WordPress plugin (Ditty – Responsive News Tickers, Sliders, and Lists) for all versions up to 3.1.38. Root cause: PHP Object Injection via deserialization of untrusted input when adding a new ditty. Exploitation requires authenticated access at contributor level or...
CVE-2024-3954 Ditty – Responsive News Tickers, Sliders, and Lists <= 3.1.38 - Authenticated (Contributor+) PHP Object Injection
The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain...