Checkout Field Editor for WooCommerce < 1.8.0 - Admin+ PHP Object Injection

The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present PoC To simulate a gadget chain, put the following code in a plugin class Evil public function wakeup : void...

CVE-2022-3374

The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog...

CVE-2022-3360

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers...

CVE-2022-3357

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site...

CVE-2022-3366

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation i...

CVE-2022-3334

The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...

CVE-2022-3366

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation i...

CVE-2022-3357

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site...

CVE-2022-3374

The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog...

CVE-2022-3334

The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...

CVE-2022-3380

The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports intentionally or not a malicious file and a suitable gadget chain is present on the blog...

Design/Logic Flaw

The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports intentionally or not a malicious file and a suitable gadget chain is present on the blog...

Design/Logic Flaw

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site...

Design/Logic Flaw

The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...

Design/Logic Flaw

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation i...

Design/Logic Flaw

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers...

Design/Logic Flaw

The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog...

CVE-2022-3366 PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation i...

CVE-2022-3380

The CVE-2022-3380 entry concerns the WordPress plugin Customizer Export/Import, affected versions prior to 0.9.5. The vulnerability arises from unserializing the content of an imported file, enabling PHP object injection if an admin imports a malicious file and a gadget chain is present on the bl...

CVE-2022-3360

CVE-2022-3360 affects the LearnPress WordPress plugin prior to 4.1.7.2. The issue arises from unserialising user input in an unauthenticated REST API endpoint, enabling PHP Object Injection when a suitable gadget is present and potentially leading to remote code execution (RCE). An attacker must ...