CVE-2021-25294

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an destruct magic metho...

CVE-2021-24950

The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insightcustomizeroptionsimport available to any authenticated user, does not validate user input before passing it to unserialize, nor sanitise and escape it before outputting it in the response. ...

CVE-2020-24914

A PHP object injection bug in profile.php in qcubed all versions including 3.1.1 unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request...

CVE-2020-8800

SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection...

CVE-2020-26165

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used...

CVE-2018-1000641

YesWiki version = cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user entered parameter in i18n.inc.php that can result in execution of code, disclosure of information...

CVE-2019-16885

In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This could happen at two places: first in view/ProductsView.php using the cookie pricefilter, and second in api/Comparison.php via the cookie compariso...

CVE-2019-5434

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities...

CVE-2019-17315

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user...

CVE-2019-15521

Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object...

CVE-2018-20987

The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection...

CVE-2019-17316

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user...

CVE-2019-17317

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user...

CVE-2019-12799

In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code...

CVE-2017-1000195

October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server...

WordPress Acerola Theme <= 1.6.5 is vulnerable to PHP Object Injection

Software Acerola Type Theme Vulnerable versions = 1.6.5 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-31927 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID d721ad82aacb Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Photography Theme <= 7.5.2 is vulnerable to PHP Object Injection

Software Photography Type Theme Vulnerable versions = 7.5.2 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE N/A Patch priority High CVSS severity High 8.5 Developer EPC PSID 070158f14a77 Credits Rafie Muhammad Patchstack Required privilege Subscriber Published 22...

WordPress Car Dealer Theme <= 1.6.6 is vulnerable to PHP Object Injection

Software Car Dealer Type Theme Vulnerable versions = 1.6.6 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-39480 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 4311ea0cfd5b Credits Bonds Required privilege Unauthenticated Publish...

CVE-2025-4803

The Glossary by WPPedia – Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted input from the 'posttypes' parameter. This makes it possible for authenticated attackers, with...

WordPress Insurance theme <= 3.5 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Insurance versions = 3.5...