CVE-2025-54785

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive da...

CVE-2025-54785 SuiteCRM is Vulnerable to PHP Object Injection in Reports

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive da...

Exploit for CVE-2015-0273

phpcodz Php Codz Hacking http://www.80vul.com/pch/ What is PHP? PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. If you are new to PHP and want to get some idea of how it works, try the introductory tutorial. Afte...

CVE-2024-55555

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APPKEY. This is exacerbated by .env files, available from the product's repository, that have default APPKEY values. The route/hash route defined in the invoiceninja/routes/client.p...

CVE-2023-1405

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-22851

Tiki before 24.2 allows lib/importer/tikiimporterblogwordpress.php PHP Object Injection by an admin because of an unserialize call...

CVE-2023-1196

The Advanced Custom Fields ACF Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-4120

The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadge...

CVE-2022-4043

The WP Custom Admin Interface WordPress plugin before 7.29 unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-3380

The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports intentionally or not a malicious file and a suitable gadget chain is present on the blog...

CVE-2021-33898

In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. In certain contexts, this can result in remote code execution. The attacker's input must be hosted at...

CVE-2021-24307

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseotoolssettings" privilege most of the time admin to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup...

CVE-2020-1899

The unserialize function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56....

CVE-2020-29045

The food-and-drink-menu plugin through 2.2.0 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the fdmcart cookie in loadcartfromcookie in includes/class-cart-manager.php...

CVE-2020-23653

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution...

CVE-2020-26165

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used...

CVE-2019-10867

An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to...

RHEL 6 / 7 : php55 (RHSA-2015:1053)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:1053 advisory. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The php55 packages provide a recent stable release...

UNA CMS 14.0.0-RC - PHP Object Injection

Exploit Title: UNA CMS = 14.0.0-RC4 BxBaseMenuSetAclLevel.php PHP Object Injection Vulnerability Author: Egidio Romano aka EgiX Software link.......: https://unacms.com - Software Links: https://unacms.com https://github.com/unacms/una - Affected Versions: All versions from 9.0.0-RC1 to 14.0.0-RC...

CVE-2025-2244

A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize on user-supplied input without validation. By crafting a malicious serialized payload, an attacker can trigger PHP object injection, perform a file write,...