Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary deserialization"; 1. Active this...

WordPress Advanced Custom Fields Plugin <= 6.0.7 is vulnerable to PHP Object Injection

Software Advanced Custom Fields Type Plugin Vulnerable versions = 6.0.7 Fixed in 6.1.0 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE N/A Patch priority High CVSS severity High 8.5 Developer Claim ownership PSID 29e8820ff608 Credits Unknown Required privilege Contributor...

CVE-2023-28667

The Lead Generated WordPress Plugin, version = 1.23, was affected by an unauthenticated insecure deserialization issue. The tvelabels parameter of the tveapiformsubmit action is passed to the PHP unserialize function without being sanitized or verified, and as a result could lead to PHP object...

CVE-2023-28667

The Lead Generated WordPress Plugin, version = 1.23, was affected by an unauthenticated insecure deserialization issue. The tvelabels parameter of the tveapiformsubmit action is passed to the PHP unserialize function without being sanitized or verified, and as a result could lead to PHP object...

PT-2023-21888 · WordPress · The Lead Generated Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: The Lead Generated WordPress Plugin version = 1.23 Description: The issue is related to an unauthenticated insecure deserialization problem. The tve labels parameter of the tve api form submit action is passed to the PHP unserialize function...

CVE-2023-28667

CVE-2023-28667 centers on the Lead Generated WordPress Plugin (version

WordPress LeadSnap Plugin <= 1.23 is vulnerable to PHP Object Injection

Software LeadSnap Type Plugin Vulnerable versions = 1.23 Fixed in 1.24 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE N/A Patch priority High CVSS severity High 5.4 Developer Claim ownership PSID 9b44d2d3b583 Credits WordFence Required privilege Unauthenticated Published 13...

CVE-2023-0232

The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection...

Design/Logic Flaw

The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection...

CVE-2023-0232 ShopLentor < 2.5.4 - PHP Object Injection

The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection...

CVE-2023-0232 ShopLentor < 2.5.4 - PHP Object Injection

The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection...

WordPress BuddyForms Plugin <= 2.7.7 is vulnerable to PHP Object Injection

Software BuddyForms Type Plugin Vulnerable versions = 2.7.7 Fixed in 2.7.8 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE N/A Patch priority High CVSS severity High 5.4 Developer Claim ownership PSID 2e9e362a10ab Credits WordFence Required privilege Subscriber Published 21...

SUSE CVE-2014-8684

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...

SUSE CVE-2018-1000527

Froxlor version = 0.9.39.5 contains a PHP Object Injection vulnerability in Domain name form that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Passing malicious PHP objection in $POST'sslipandport'. This vulnerability appears to...

CVE-2022-3568

CVE-2022-3568 affects the ImageMagick Engine WordPress plugin (versions up to and including 1.7.5). The vulnerability enables CSRF and deserialization of untrusted input via the cli_path parameter, potentially allowing PHAR-deserialization when a suitable gadget chain exists and a serialized payl...

CVE-2022-4489

The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

Design/Logic Flaw

The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-4489 WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection

The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-4489 WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection

The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-4489

The CVE-2022-4489 entry concerns the WordPress HUSKY (WOOF) plugin for WooCommerce, affected versions