Lucene search
WpvulndbWPVDB-ID:04C3D8C7-A945-4393-8835-74E489C5DC2DHistoryJun 29, 2023 - 12:00 a.m.
User Registration < 3.0.2 - Subscriber+ PHP Object Injection
2023-06-2900:00:00
wpscan.com
8
user registration
vulnerability
php object injection
plugin
deserialization
untrusted input
subscriber-level permissions
property oriented programming
pop chain.
EPSS
0.003
Percentile
69.2%
The plugin does not properly sanitize the βprofile-pic-urlβ parameter, leading to a potential PHP Object Injection. This vulnerability stems from the deserialization of untrusted input, potentially enabling a malicious user with subscriber-level permissions to inject a PHP Object. The issue may escalate if a Property Oriented Programming (POP) chain is present via an additional plugin or theme.
Related
cve
cve
CVE-2023-3343
2023-07-13 03:15:10
nvd
nvd
CVE-2023-3343
2023-07-13 03:15:10
cvelist
cvelist
CVE-2023-3343
2023-07-13 02:04:14
prion
prion
Deserialization of untrusted data
2023-07-13 03:15:00