CVE-2024-13789

The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the...

CVE-2024-13899

The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the fImportMenu function. This makes it possible for authenticated attackers, with Administrator-level access a...

CVE-2024-13899

The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the fImportMenu function. This makes it possible for authenticated attackers, with Administrator-level access a...

CVE-2024-13899 Mambo Importer <= 1.0 - Authenticated (Administrator+) PHP Object Injection

The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the fImportMenu function. This makes it possible for authenticated attackers, with Administrator-level access a...

CVE-2024-13899

CVE-2024-13899 affects the Mambo Importer plugin for WordPress (up to v1.0). It enables PHP Object Injection via deserialization of untrusted input in fImportMenu’s $data parameter. Exploitation requires Administrator-class access; no public POP chain is documented in the vulnerable package itsel...

CVE-2024-13899 Mambo Importer <= 1.0 - Authenticated (Administrator+) PHP Object Injection

The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the fImportMenu function. This makes it possible for authenticated attackers, with Administrator-level access a...

PT-2025-7403 · WordPress · Mambo Importer

Name of the Vulnerable Software and Affected Versions: Mambo Importer plugin for WordPress versions up to, and including, 1.0 Description: The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input via the data parameter in the fImportMenu...

WordPress Mambo Importer plugin <= 1.0 - Authenticated (Administrator+) PHP Object Injection vulnerability

Authenticated Administrator+ PHP Object Injection vulnerability discovered by Francesco Carlucci in WordPress Plugin Mambo Importer versions = 1.0...

CVE-2024-13636

The Brooklyn theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.9.2 via deserialization of untrusted input in the otdecode function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object...

CVE-2024-13789

The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the...

CVE-2024-13789 Ravpage <= 2.31 - PHP Object Injection

The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the...

CVE-2024-13789

CVE-2024-13789 details (as per provided docs): The ravpage WordPress plugin (affected versions up to 2.31) is vulnerable to PHP Object Injection via deserialization of untrusted input in the paramsv2 parameter. This allows unauthenticated attackers to inject a PHP object. There is no known POP ch...

CVE-2024-13789 Ravpage <= 2.31 - PHP Object Injection

The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the...

CVE-2024-13556

The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization of untrusted input from an file export. This makes it possible for unauthenticated attackers to...

PT-2025-7389 · WordPress · Ravpage

Name of the Vulnerable Software and Affected Versions: Ravpage plugin for WordPress versions up to, and including, 2.31 Description: The issue concerns a PHP Object Injection vulnerability via deserialization of untrusted input from the paramsv2 parameter. This allows unauthenticated attackers to...

WordPress Advanced Database Cleaner Plugin < 3.1.4 PHP Object Injection Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:sigmaplugin:advanceddatabasecleaner"; ifdescription...

WordPress Ravpage plugin <= 2.31 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Frissi0n in WordPress Plugin Ravpage versions = 2.31...

DRUPAL-CORE-2025-003

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order fo...

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order fo...

Drupal 10.3.x < 10.3.13 / 10.3.x < 10.3.13 / 10.4.x < 10.4.3 / 10.4.x < 10.4.3 / 11.x < 11.0.12 / 11.x < 11.0.12 / 11.1.x < 11.1.3 / 11.1.x < 11.1.3 Multiple Vulnerabilities (drupal-2025-02-19)

According to its self-reported version, the instance of Drupal running on the remote web server is 10.3.x prior to 10.3.13, 10.3.x prior to 10.3.13, 10.4.x prior to 10.4.3, 10.4.x prior to 10.4.3, 11.x prior to 11.0.12, 11.x prior to 11.0.12, 11.1.x prior to 11.1.3, or 11.1.x prior to 11.1.3. It...