ShortPixel Image Optimizer < 5.4.2 - Authenticated(Editor+) PHP Object Injection

Description The ShortPixel Image Optimizer plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.4.1 via deserialization of untrusted input in post content. This allows authenticated attackers with editor capabilities or above to inject a PHP Object. No PO...

Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via queries

Description The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the getposts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the...

Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via products

Description The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the getproducts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the...

E2Pdf < 1.20.19 - Authenticated (Administrator+) PHP Object Injection

Description The E2Pdf plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.20.18 via deserialization of untrusted input within the importaction and ajaxupload functions. This makes it possible for authenticated attackers, with administrative-level...

KD Coming Soon <= 1.7 - Unauthenticated PHP Object Injection via cetitle

Description The KD Coming Soon plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7 via deserialization of untrusted input cetitle in the vulnerable kdcemailer function. This makes it possible for unauthenticated attackers to inject a PHP Object. No...

Flatsome < 3.17.6 - Unauthenticated PHP Object Injection

Description The Flatsome theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.17.5 via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed o...

Themify Ultra < 7.3.6 - Authenticated (Subscriber+) PHP Object Injection

Description The themify-ultra theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.3.3 via deserialization of untrusted input. This makes it possible for authenticated attackers with subscriber access and above to inject a PHP Object. If a POP chain is...

RSVPMaker < 10.6.7 - Unauthenticated PHP Object Injection

Description The RSVPMaker plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 10.6.6 via deserialization of untrusted input from the $details variable. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable...

UserPro < 5.1.1 - Cross-Site Request Forgery to PHP Object Injection

Description The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object...

CVE-2023-2497

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to...

CVE-2023-2497

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to...

Cross site request forgery (csrf)

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to...

CVE-2023-2497 UserPro <= 5.1.0 - Cross-Site Request Forgery to PHP Object Injection

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to...

CVE-2023-2497

CVE-2023-2497 affects the UserPro WordPress plugin up to version 5.1.0. It is a Cross-Site Request Forgery (CSRF) vulnerability stemming from missing or incorrect nonce validation on the import_settings function, which, when combined with unserialize() on user-supplied data, can enable unauthenti...

PT-2023-19847 · WordPress · Userpro

Name of the Vulnerable Software and Affected Versions: UserPro plugin for WordPress versions up to, and including, 5.1.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the import settings function. This allows unauthenticated...

CVE-2023-5340

The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog...

Design/Logic Flaw

The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2023-5340 Five Star Restaurant Menu and Food Ordering < 2.4.11 - Unauthenticated PHP Object Injection

The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2023-5340 Five Star Restaurant Menu and Food Ordering < 2.4.11 - Unauthenticated PHP Object Injection

The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2023-5340

The CVE-2023-5340 affects the Five Star Restaurant Menu and Food Ordering WordPress plugin prior to version 2.4.11. The issue is unauthenticated deserialization via an AJAX action, enabling PHP Object Injection when a suitable gadget is present on the blog. Remediation: upgrade to version 2.4.11 ...