Easy WP SMTP < 1.5.0 - Admin+ PHP Objection Injection

The plugin unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin class Evil publ...

LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API

The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...

WordPress LearnPress plugin <= 4.1.7.1 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability via REST API discovered by Nguyen Duy Quoc Khanh in the WordPress LearnPress plugin versions = 4.1.7.1. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.7.2...

LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API

The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...

CVE-2022-2903

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...

Design/Logic Flaw

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...

CVE-2022-2903

The CVE-2022-2903 entry corresponds to the WordPress Ninja Forms Contact Form plugin (versions before 3.6.13). The vulnerability is described as insecure deserialization: importing a malicious file can lead to PHP object injection if a suitable gadget chain exists on the site. Impact is documente...

CVE-2022-2903 NinjaForms < 3.6.13 - Admin+ PHP Objection Injection

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...

CVE-2022-2903 NinjaForms < 3.6.13 - Admin+ PHP Objection Injection

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...

CVE-2022-33900

PHP Object Injection vulnerability in Easy Digital Downloads plugin = 3.0.1 at WordPress...

CVE-2022-33900

PHP Object Injection vulnerability in Easy Digital Downloads plugin = 3.0.1 at WordPress...

Design/Logic Flaw

PHP Object Injection vulnerability in Easy Digital Downloads plugin = 3.0.1 at WordPress...

CVE-2022-33900 WordPress Easy Digital Downloads plugin <= 3.0.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability in Easy Digital Downloads plugin = 3.0.1 at WordPress...

CVE-2022-33900 WordPress Easy Digital Downloads plugin <= 3.0.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability in Easy Digital Downloads plugin = 3.0.1 at WordPress...

WordPress Easy Digital Downloads plugin <= 3.0.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability was discovered by Robert Rowley Patchstack in the WordPress Easy Digital Downloads plugin versions = 3.0.1. Solution Update the WordPress Easy Digital Downloads plugin to the latest available version at least 3.0.2...

Easy Digital Downloads < 3.0.2 - Admin+ PHP Object Injection

The plugin does not validate user input before unserialising it, which could allow high privilege users to perform PHP Objection injection attacks...

CVE-2022-2444 Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remotedata' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call...

WordPress plugin Feed Them Social 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. WordPress plugin Feed Them...

WordPress Ninja Forms plugin <= 3.6.10 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered in WordPress Ninja Forms plugin versions = 3.6.10. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.6.11...

Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...