WordPress plugin Advanced Custom Fields (ACF) Free and Pro 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code issue vulnerability exists in the...

WordPress Advanced Custom Fields PRO Plugin < 6.1.0 is vulnerable to PHP Object Injection

Software Advanced Custom Fields PRO Type Plugin Vulnerable versions 6.1.0 Fixed in 6.1.0 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2023-1196 Patch priority Medium CVSS severity Medium 4.9 Developer Claim ownership PSID 322be262bcd9 Credits Nguyen Huu Do Required...

WordPress Advanced Custom Fields Plugin < 5.12.5 is vulnerable to PHP Object Injection

Software Advanced Custom Fields Type Plugin Vulnerable versions 5.12.5 Fixed in 5.12.5 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2023-1196 Patch priority Medium CVSS severity Medium 4.9 Developer Claim ownership PSID 8c55b8a9942a Credits Nguyen Huu Do Required privile...

PT-2023-17156 · WordPress · Seopress

Name of the Vulnerable Software and Affected Versions: SEOPress WordPress plugin versions prior to 6.5.0.3 Description: The issue allows high-privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present, due to the unserialize of user input provided via the...

PT-2023-16812 · WordPress · Advanced Custom Fields Pro

Name of the Vulnerable Software and Affected Versions: Advanced Custom Fields ACF Free and Pro WordPress plugins versions 5.x through 5.12.4 Advanced Custom Fields ACF Free and Pro WordPress plugins versions 6.x through 6.0.x Description: The issue allows users with a role of Contributor and abov...

WordPress Bit File Manager Plugin <= 5.2.7 is vulnerable to PHP Object Injection

Software Bit File Manager Type Plugin Vulnerable versions = 5.2.7 Fixed in 6.0.0 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2022-47599 Patch priority Low CVSS severity Low 5.5 Developer Claim ownership PSID 73c858fcfca7 Credits rezaduty Required privilege Administrator...

WordPress Ad Inserter Plugin < 2.7.27 is vulnerable to PHP Object Injection

Software Ad Inserter Type Plugin Vulnerable versions 2.7.27 Fixed in 2.7.27 OWASP Top 10 A8: Insecure Deserialization Classification PHP Object Injection CVE CVE-2023-1549 Patch priority Low CVSS severity Low 4.4 Developer Igor Funa PSID 3b84de757ee4 Credits Nguyen Huu Do Required privilege...

WordPress Customizer Export/Import Plugin < 0.9.6 is vulnerable to PHP Object Injection

Software Customizer Export/Import Type Plugin Vulnerable versions 0.9.6 Fixed in 0.9.6 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2023-1347 Patch priority Low CVSS severity Low 4.4 Developer Claim ownership PSID 014e99d7d277 Credits Nguyen Huu Do Required privilege...

WordPress ChatBot Plugin <= 4.4.6 is vulnerable to PHP Object Injection

Software ChatBot Type Plugin Vulnerable versions = 4.4.6 Fixed in 4.4.7 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2023-1650 Patch priority High CVSS severity High 5.4 Developer Claim ownership PSID 84bd0e4874e7 Credits Erwan LR Required privilege Unauthenticated...

Ad Inserter < 2.7.27 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

Ad Inserter < 2.7.27 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitra...

HUSKY (formerly WOOF) Plugin for WordPress < 1.3.2 PHP Object Injection

The WordPress HUSKY formerly WOOF Plugin installed on the remote host is affected by a php object injection vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...

ChatBot < 4.4.7 - Unauthenticated PHP Object Injection

The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog PoC To simulate a gadget chain, put the following code in a plugin: class Evil public functio...

Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection

The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. PoC Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...

Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection

The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. PoC Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...

SEOPress < 6.5.0.3 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection

The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection

The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

WordPress Formidable Forms Plugin <= 6.1.2 is vulnerable to PHP Object Injection

Software Formidable Forms Type Plugin Vulnerable versions = 6.1.2 Fixed in 6.2 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2023-1405 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID e0f1ba3999f1 Credits Nguyen Huu Do Required privilege...

Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary deserialization"; 1. Active this plugin a...