CVE-2022-3359 Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection

The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports intentionally or not a malicious file and a suitable gadget chain is present on the blog...

CVE-2022-3359

CVE-2022-3359 affects the Shortcodes and extra features for Phlox theme WordPress plugin, prior to version 2.10.7. The issue arises from unserializing the content of an imported file, enabling PHP object injection if a suitable gadget chain is present on the blog. Affected product: Phlox WordPres...

PT-2022-21789 · WordPress · Phlox

Name of the Vulnerable Software and Affected Versions: Shortcodes and extra features for Phlox theme WordPress plugin versions prior to 2.10.7 Description: The issue arises from the unserialize of the content of an imported file, which could lead to PHP object injection when a user imports a...

PT-2022-24656 · WordPress · Cooked Pro Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Cooked Pro WordPress plugin versions prior to 1.7.5.7 Description: The issue arises from improper validation and sanitization of the recipe args parameter before unserializing it in the "cooked loadmore" action. This allows an unauthenticated...

WordPress plugin Phlox 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...

White Label CMS < 2.5 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

White Label CMS < 2.5 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection

The plugin passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain To simulate a gadget chain, put the following code in a plugin class Evil...

Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection

The plugin passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain PoC To simulate a gadget chain, put the following code in a plugin class Ev...

WordPress Checkout Field Editor for WooCommerce plugin deserialization vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. The WordPress plugin is an application plugin. The WooCommerce WordPress plugin Checkout Field Editor Checkout Manager version 1.8.0 or earlier is...

vBulletin < 5.5.3 PHP Object Injection Vulnerability

vBulletin is prone to a PHP object injection vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:vbulletin:vbulletin";...

CVE-2022-3490

The Checkout Field Editor Checkout Manager for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-3490

The Checkout Field Editor Checkout Manager for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

Design/Logic Flaw

The Checkout Field Editor Checkout Manager for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-3490 Checkout Field Editor for WooCommerce < 1.8.0 - Admin+ PHP Object Injection

The Checkout Field Editor Checkout Manager for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-3490 Checkout Field Editor for WooCommerce < 1.8.0 - Admin+ PHP Object Injection

The Checkout Field Editor Checkout Manager for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

PT-2022-22426 · WordPress · Checkout Field Editor

Name of the Vulnerable Software and Affected Versions: The Checkout Field Editor Checkout Manager for WooCommerce WordPress plugin versions prior to 1.8.0 Description: The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present. This is...

WordPress Smart Slider 3 plugin <= 3.5.1.9 - Auth. PHP Object Injection vulnerability

Auth. PHP Object Injection vulnerability discovered by Dave Jong Patchstack in WordPress Smart Slider 3 plugin versions = 3.5.1.9. Solution Update the WordPress Smart Slider 3 plugin to the latest available version at least 3.5.1.11...

Prevent RCE when deserializing untrusted user input

Impact Affected versions of yiisoft/yii are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. Patches Upgrade yiisoft/yii to version 1.1.27 or higher. For more information See the following links for more details: - Git commit -...

GHSA-442F-WCWQ-FPCF Prevent RCE when deserializing untrusted user input

Impact Affected versions of yiisoft/yii are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. Patches Upgrade yiisoft/yii to version 1.1.27 or higher. For more information See the following links for more details: - Git commit -...