WordPress Ninja Tables – Easy Data Table Builder plugin <= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution vulnerability

Unauthenticated PHP Object Injection to Limited Remote Code Execution vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ninja Tables versions = 5.0.18...

WordPress Mr. Murphy < 1.2.12.1 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh in WordPress Theme Mr. Murphy versions 1.2.12.1...

GHSA-8J8W-WWQC-X596 Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

CVE-2025-49113 affects Roundcube Webmail (Roundscube core) with PHP Object Deserialization via the unvalidated _from parameter in actions/settings/upload.php. The issue allows remote code execution by an authenticated user. Public advisories confirm RCE implications and that patches were released...

WordPress Mr. Murphy Theme < 1.2.12.1 is vulnerable to PHP Object Injection

Software Mr. Murphy Type Theme Vulnerable versions 1.2.12.1 Fixed in 1.2.12.1 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-49072 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 743adbe763dd Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

Roundcube Webmail RCE Vulnerability (Jun 2025) - Windows

Roundcube Webmail is prone to an authenticated remote code execution RCE vulnerability via php object deserialization. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Post-Auth Remote Code Execution found in Roundcube Webmail

Roundcube Webmail reports: Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v...

WordPress Solar Energy theme <= 3.5 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Solar Energy versions = 3.5...

WordPress Solar Energy Theme <= 3.5 is vulnerable to PHP Object Injection

Software Solar Energy Type Theme Vulnerable versions = 3.5 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-32283 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 835d026bbefc Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

CVE-2025-48336 WordPress Course Builder < 3.6.6 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through 3.6.6...

WordPress WP Posts Carousel <= 1.3.12 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by astra.r3verii Patchstack Alliance in WordPress Plugin WP Posts Carousel versions = 1.3.12...

WordPress Course Builder Theme < 3.6.6 is vulnerable to PHP Object Injection

Software Course Builder Type Theme Vulnerable versions 3.6.6 Fixed in 3.6.6 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-48336 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 330f3e0387ca Credits Annn Required privilege Unauthenticated...

CVE-2025-31049 WordPress Dash <= 1.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3...

CVE-2025-31069 WordPress HotStar – Multi-Purpose Business Theme <= 1.4 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Object Injection. This issue affects HotStar – Multi-Purpose Business Theme: from n/a through 1.4...

CVE-2025-31069 WordPress HotStar – Multi-Purpose Business Theme <= 1.4 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Object Injection. This issue affects HotStar – Multi-Purpose Business Theme: from n/a through 1.4...