The plugin does not validate the ‘remote_data’ parameter allowing contributor and above roles to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP objects when a POP chain is present.
CPE | Name | Operator | Version |
---|---|---|---|
visualizer | lt | 3.7.10 |