Lucene search
K

462 matches found

Cvelist
Cvelist
added 2023/10/16 8:32 a.m.28 views

CVE-2023-3392 Read More & Accordion < 3.2.7 - Admin+ PHP Object Injection

The Read More & Accordion WordPress plugin before 3.2.7 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

7.4AI score0.00783EPSS
Exploits2References1
OpenVAS
OpenVAS
added 2023/09/27 12:0 a.m.11 views

WordPress Customizer Export/Import Plugin < 0.9.6 PHP Object Injection Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wpbeaverbuilder:customizerexport%2fimport"; if description...

7.2CVSS7.1AI score0.16046EPSS
Exploits1References1
OpenVAS
OpenVAS
added 2023/09/27 12:0 a.m.8 views

WordPress Customizer Export/Import Plugin < 0.9.5 PHP Object Injection Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wpbeaverbuilder:customizerexport%2fimport"; if description...

7.2CVSS7.1AI score0.01126EPSS
Exploits1References1
WPVulnDB
WPVulnDB
added 2023/09/21 12:0 a.m.19 views

Enable Media Replace < 4.1.3 - Author+ PHP Object Injection

Description The plugin unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog PoC Step 1: Add the following code to the end of the file located at...

8.8CVSS6.9AI score0.00837EPSS
Exploits2Affected Software1
OSV
OSV
added 2023/07/07 1:42 p.m.37 views

GHSA-3Q76-JQ6M-573P Archive_Tar contains Potential RCE if filename starts with phar://

PEAR ArchiveTar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the ArchiveTar class. There are several file operations with $vheader'filename' as parameter such as fileexists, isfile, isdir, etc. When extract is called without a specific prefix path, we can trigger...

8.8CVSS8.8AI score0.19207EPSS
Exploits5References12
NVD
NVD
added 2023/05/15 1:15 p.m.17 views

CVE-2023-2180

The KIWIZ Invoices Certification & PDF System WordPress plugin through 2.1.3 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization assuming they can upload a file on the server...

7.5CVSS7.7AI score0.00866EPSS
Exploits2References1
OSV
OSV
added 2023/05/15 1:15 p.m.4 views

CVE-2023-1549

The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

7.2CVSS7.2AI score0.16903EPSS
Exploits2References1
NVD
NVD
added 2023/05/15 1:15 p.m.16 views

CVE-2023-1549

The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

7.2CVSS7AI score0.16903EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2023/05/15 12:15 p.m.9 views

CVE-2023-2180 KIWIZ Invoices Certification & PDF System <= 2.1.3 - Unauthenticated Arbitrary File Download

The KIWIZ Invoices Certification & PDF System WordPress plugin through 2.1.3 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization assuming they can upload a file on the server...

7.6AI score0.00866EPSS
Exploits2References1
Cvelist
Cvelist
added 2023/05/15 12:15 p.m.16 views

CVE-2023-2180 KIWIZ Invoices Certification & PDF System <= 2.1.3 - Unauthenticated Arbitrary File Download

The KIWIZ Invoices Certification & PDF System WordPress plugin through 2.1.3 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization assuming they can upload a file on the server...

7.8AI score0.00866EPSS
Exploits2References1
CVE
CVE
added 2023/05/15 12:15 p.m.54 views

CVE-2023-2180

The CVE-2023-2180 entry concerns the KIWIZ Invoices Certification & PDF System WordPress plugin (versions ≤ 2.1.3). Affected component: file download path validation is insufficient, enabling an unauthenticated attacker to read/download arbitrary files. The issue also enables PHAR unserialization...

7.5CVSS7.7AI score0.00866EPSS
Exploits2References1Affected Software1
Vulnrichment
Vulnrichment
added 2023/05/15 12:15 p.m.16 views

CVE-2023-1549 Ad Inserter < 2.7.27 - Admin+ PHP Object Injection

The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

7.1AI score0.16903EPSS
Exploits2References1
Cvelist
Cvelist
added 2023/05/15 12:15 p.m.19 views

CVE-2023-1549 Ad Inserter < 2.7.27 - Admin+ PHP Object Injection

The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

7.2AI score0.16903EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2023/05/15 12:0 a.m.7 views

PT-2023-18344 · WordPress · Kiwiz Invoices Certification & Pdf System

Name of the Vulnerable Software and Affected Versions: KIWIZ Invoices Certification & PDF System WordPress plugin versions 2.1.3 and earlier Description: The issue allows an unauthenticated attacker to read or download arbitrary files, as well as perform PHAR unserialization if they can upload a...

7.5CVSS9.5AI score0.00866EPSS
Exploits2References7
OSV
OSV
added 2023/05/08 2:15 p.m.4 views

CVE-2023-1650

The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog...

9.8CVSS7.3AI score0.34351EPSS
Exploits2References1
Prion
Prion
added 2023/05/08 2:15 p.m.12 views

Design/Logic Flaw

The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

5.8CVSS7.1AI score0.16046EPSS
Exploits1References1Affected Software1
Prion
Prion
added 2023/05/02 9:15 a.m.22 views

Design/Logic Flaw

The Advanced Custom Fields ACF Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present...

6.5CVSS8.8AI score0.0108EPSS
Exploits3References2Affected Software1
NVD
NVD
added 2023/05/02 8:15 a.m.24 views

CVE-2023-1669

The SEOPress WordPress plugin before 6.5.0.3 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

7.2CVSS7.2AI score0.18505EPSS
Exploits2References1
Cvelist
Cvelist
added 2023/05/02 7:4 a.m.29 views

CVE-2023-1669 SEOPress < 6.5.0.3 - Admin+ PHP Object Injection

The SEOPress WordPress plugin before 6.5.0.3 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

7.4AI score0.18505EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2023/04/19 12:0 a.m.23 views

KIWIZ Invoices Certification & PDF System <= 2.1.3 - Unauthenticated Arbitrary File Download

The plugin does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization assuming they can upload a file on the server PoC To download ../../../../wp-config.php:...

7.5CVSS9.1AI score0.00866EPSS
Exploits2Affected Software1
Rows per page
Query Builder