3726 matches found
CVE-2024-2501
CVE-2024-2501 affects Hubbub Lite (WordPress plugin) up to version 1.33.1 and enables PHP Object Injection via deserialization in the dpsp_maybe_unserialize function. Authenticated attackers with Contributor+ privileges can inject a PHP object; if a POP chain exists via another plugin/theme, this...
CVE-2024-1792 CMB2 <= 2.10.1 - Authenticated (Contributor+) PHP Object Injection
The CMB2 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.10.1 via deserialization of untrusted input from the textdatetimetimestamptimezone field. This makes it possible for authenticated attackers, with contributor access or higher, to inject a...
CVE-2024-1792
The CVE-2024-1792 entry concerns the CMB2 WordPress plugin, affected in all versions up to and including 2.10.1. The flaw is a PHP Object Injection via deserialization of untrusted input in the text_datetime_timestamp_timezone field, which authenticated attackers with contributor access or higher...
CVE-2024-1792 CMB2 <= 2.10.1 - Authenticated (Contributor+) PHP Object Injection
The CMB2 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.10.1 via deserialization of untrusted input from the textdatetimetimestamptimezone field. This makes it possible for authenticated attackers, with contributor access or higher, to inject a...
CVE-2024-1813 Simple Job Board <= 2.11.0 - Unauthenticated PHP Object Injection via Job Application Fields
The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the jobboardapplicantlistcolumnsvalue function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a...
CVE-2024-1813 Simple Job Board <= 2.11.0 - Unauthenticated PHP Object Injection via Job Application Fields
The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the jobboardapplicantlistcolumnsvalue function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a...
CVE-2024-2693 Link Whisper Free <= 0.7.1 - Authenticated (Contributor+) PHP Object Injection
The Link Whisper Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.7.1 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above,...
CVE-2024-2693 Link Whisper Free <= 0.7.1 - Authenticated (Contributor+) PHP Object Injection
The Link Whisper Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.7.1 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above,...
CVE-2024-2018 WP Activity Log Premium <= 4.6.4 - Authenticated (Subscriber+) SQL Injection
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry-roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...
PT-2024-21585 · WordPress · Link Whisper Free
Name of the Vulnerable Software and Affected Versions: Link Whisper Free plugin for WordPress versions up to, and including, 0.7.1 Description: The issue allows authenticated attackers with contributor-level access and above to inject a PHP Object via deserialization of untrusted input of the...
PT-2024-20699 · WordPress · The Hubbub Lite
Name of the Vulnerable Software and Affected Versions: The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress versions up to, and including, 1.33.1 Description: The issue allows authenticated attackers with contributor access and above to inject a PHP Object via...
PT-2024-18310 · WordPress · Cmb2
Name of the Vulnerable Software and Affected Versions: CMB2 plugin for WordPress versions up to, and including, 2.10.1 Description: The CMB2 plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input from the text datetime timestamp timezone field. This allo...
Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce < 2.6.4 - Authenticated (Admin+) PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection in versions up to and including, 2.6.3 via deserialization of untrusted input in the import function via the 'shortcode' parameter. This allows authenticated attackers, with administrator-level access to inject a PHP Object. If a POP...
CVE-2024-31277 WordPress Product Designer plugin <= 1.0.32 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32...
CVE-2024-31277 WordPress Product Designer plugin <= 1.0.32 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32...
CVE-2024-31308 WordPress WP Import Export Lite & WP Import Export plugin <= 3.9.26 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.This issue affects WP Import Export Lite: from n/a through 3.9.26...
CVE-2024-31308 WordPress WP Import Export Lite & WP Import Export plugin <= 3.9.26 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.This issue affects WP Import Export Lite: from n/a through 3.9.26...
WordPress WP Import Export Lite & WP Import Export plugin <= 3.9.26 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Trình Vũ / Sonicrrrr from VNPT-VCI Patchstack Alliance in WordPress Plugin WP Import Export Lite versions = 3.9.26...
WordPress Product Designer plugin <= 1.0.32 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Yudistira Arya Patchstack Alliance in WordPress Plugin Product Designer versions = 1.0.32...
WordPress Product Designer Plugin <= 1.0.32 is vulnerable to PHP Object Injection
Software Product Designer Type Plugin Vulnerable versions = 1.0.32 Fixed in 1.0.33 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-31277 Patch priority High CVSS severity High 8.7 Developer Claim ownership PSID c28d30a48452 Credits Yudistira Arya Required privilege...