3585 matches found
CVE-2025-7504 Friends 3.5.1 - Authenticated (Subscriber+) PHP Object Injection
The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the queryvars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is prese...
CVE-2025-7504 Friends 3.5.1 - Authenticated (Subscriber+) PHP Object Injection
The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the queryvars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is prese...
PT-2025-29313 · WordPress · Friends Plugin For Wordpress
Name of the Vulnerable Software and Affected Versions: Friends plugin for WordPress version 3.5.1 Description: The Friends plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input of the query vars parameter. This allows authenticated attackers with...
WordPress Friends plugin <= 3.5.1 - Authenticated (Admin+) PHP Object Injection vulnerability
Authenticated Admin+ PHP Object Injection vulnerability discovered by Pham Nguyen Khoa in WordPress Plugin Friends versions = 3.5.1...
WordPress URL Shortener <= 3.0.7 - PHP Object Injection Vulnerability
PHP Object Injection Vulnerability discovered by ch4r0n in WordPress Plugin URL Shortener versions = 3.0.7...
CVE-2025-6742
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...
CVE-2025-7216
A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to...
CVE-2025-6742
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...
CVE-2025-6742
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...
CVE-2025-6742
Mode C: CVE-2025-6742 affects the WordPress plugin SureForms – Drag and Drop Form Builder for WordPress up to version 1.7.3. The root cause is use of file_exists() in delete_entry_files() with no path restriction, enabling unauthenticated PHP Object Injection. The report notes that no known POP c...
CVE-2025-6742 SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...
CVE-2025-6742 SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...
CVE-2025-7216
A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to...
CVE-2025-7216 lty628 Aidigu PHP Object common.php checkUserCookie deserialization
A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to...
CVE-2025-7216
CVE-2025-7216 affects lty628 Aidigu versions up to 1.8.2. The vulnerability resides in the PHP Object Handler's file /application/common.php, specifically the function checkUserCookie, where manipulating the rememberMe argument leads to deserialization. This allows remote exploitation and, per so...
CVE-2025-7216 lty628 Aidigu PHP Object common.php checkUserCookie deserialization
A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to...
PT-2025-28844 · WordPress · Sureforms
Name of the Vulnerable Software and Affected Versions: SureForms – Drag and Drop Form Builder for WordPress versions up to 1.7.3 Description: The issue allows unauthenticated attackers to inject a PHP object through the use of file exists in the delete entry files function without restriction on...
WordPress SureForms plugin <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) vulnerability
Unauthenticated PHP Object Injection PHAR vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin SureForms versions = 1.7.3...
WordPress Yogi theme < 2.9.3 - PHP Object Injection Vulnerability
PHP Object Injection Vulnerability discovered by Bonds in WordPress Theme Yogi versions 2.9.3...
WordPress Hillter theme <= 3.0.7 - PHP Object Injection Vulnerability
PHP Object Injection Vulnerability discovered by Bonds in WordPress Theme Hillter versions = 3.0.7...