User Registration < 3.0.2 – Subscriber+ PHP Object Injection | CVE 2023-3343 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize the 'profile-pic-url' parameter, leading to a potential PHP Object Injection. This vulnerability stems from the deserialization of untrusted input, potentially enabling a malicious user with subscriber-level permissions to inject a PHP Object. The issue may escalate if a Property Oriented Programming (POP) chain is present via an additional plugin or theme.

Affects Plugins

user-registration

Fixed in 3.0.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Verified

No

WPVDB ID

04c3d8c7-a945-4393-8835-74e489c5dc2d

Timeline

Publicly Published

2023-06-29 (about 2 years ago)

Added

2023-07-14 (about 2 years ago)

Last Updated

2023-07-14 (about 2 years ago)

Other

Published

Title

Published

2026-03-23

Title

Borgholm < 1.6 - Unauthenticated PHP Object Injection

Published

2024-10-21

Title

Backup and Staging by WP Time Capsule < 1.22.22 - Authenticated (Administrator+) PHP Object Injection

Published

2023-10-27

Title

Five Star Restaurant Menu and Food Ordering < 2.4.11 - Unauthenticated PHP Object Injection

Published

2025-09-04

Title

Single Property <= 2.8 - Authenticated (Subscriber+) PHP Object Injection

Published

2024-04-26

Title

WP Migrate Pro < 2.6.11 - Unauthenticated PHP Object Injection