PT-2024-15193 · WordPress · Phlox

Name of the Vulnerable Software and Affected Versions: Shortcodes and extra features for Phlox theme plugin for WordPress versions up to, and including, 2.15.2 Description: The issue concerns PHP Object Injection via deserialization of untrusted input from the vulnerable id parameter in the auxin...

CVE-2024-3591

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2024-3591 WordPress Geo Controller < 8.6.5 - PHP Object Injection

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2024-3591 WordPress Geo Controller < 8.6.5 - PHP Object Injection

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2024-3591

CVE-2024-3591 affects the WordPress plugin Geo Controller up to version 8.6.5. The issue arises from unserializing user input in certain AJAX actions and REST API routes, enabling unauthenticated users to perform a PHP Object Injection if a suitable gadget is present on the blog. Evidence across ...

XStore Core <= 5.3.5 - Unauthenticated PHP Object Injection

Description The XStore Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.3.5 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin...

Custom field finder < 0.4 - Authenticated (Author+) PHP Object Injection

Description The Custom field finder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.3 via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. No known...

WordPress plugin Geo Controller 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-1895

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated...

CVE-2024-1895

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated...

CVE-2024-1895 Event Monster <= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.9 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated...

CVE-2024-1895

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated...

CVE-2024-1895

CVE-2024-1895 affects the WordPress plugin Event Monster – Event Management, Tickets Booking, Upcoming Event . The vulnerability is a PHP Object Injection via deserialization in all versions up to and including 1.3.9, triggered by deserializing untrusted input from a shortcode of a custom meta va...

WordPress Event Management Tickets Booking Plugin <= 1.3.4 is vulnerable to PHP Object Injection

Software Event Management Tickets Booking Type Plugin Vulnerable versions = 1.3.4 Fixed in 1.3.5 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-1895 Patch priority Medium CVSS severity Medium 7.4 Developer Claim ownership PSID d93e6770a231 Credits Francesco Carlucci...

PT-2024-18402 · WordPress · The Event Monster

Name of the Vulnerable Software and Affected Versions: The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress versions up to, and including, 1.3.4 Description: The issue concerns a PHP Object Injection vulnerability via deserialization of untrusted input from a...

PT-2024-26777 · WordPress · Geo Controller

Name of the Vulnerable Software and Affected Versions: Geo Controller WordPress plugin versions prior to 8.6.5 Description: The issue allows unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog, due to the plugin unserializing user input via some of...

CVE-2024-33553 WordPress XStore Core plugin <= 5.3.5 - Unauthenticated PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5...

CVE-2024-33641 WordPress Custom field finder plugin <= 0.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Team Yoast Custom field finder.This issue affects Custom field finder: from n/a through 0.3...

Import and export users and customers < 1.26.3 - Authenticated (Admin+) PHP Object Injection

Description The Import and export users and customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.26.2 via deserialization of untrusted input in the import.php file. This makes it possible for authenticated attackers, with administrator-level...

Grid Gallery – Photo Image Grid Gallery <= 1.4.3 - Authenticated(Contributor+) PHP Object Injection via shortcode

Description The Grid Gallery – Photo Image Grid Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization via shortcode of untrusted input from the awlggsettings meta value. This makes it possible for authenticated attackers...