WordPress Plugin Vulnerabilities

Search & Replace < 3.2.3 - Unauthenticated PHP Object Injection

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
search-and-replace
Fixed in 3.2.3

References

CVE
CVE-2024-38759
URL
https://patchstack.com/database/vulnerability/search-and-replace/wordpress-search-replace-plugin-3-2-2-deserialization-of-untrusted-data-vulnerability

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Trinh Vu (Sonicrrrr)
Verified
No
WPVDB ID
06a1c512-4d15-4964-821c-95a185ee57ce

Timeline

Publicly Published
2024-07-11 (about 1 year ago)
Added
2024-07-17 (about 1 year ago)
Last Updated
2024-09-02 (about 1 year ago)

Other

Published
Title
Published
2024-10-24
Title
Namaste! LMS < 2.6.4 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-05-21
Title
Contact Form Plugin by Fluent Forms < 5.1.16 - Contributor+ PHP Object Injection
Published
2024-10-24
Title
WPC Shop as a Customer for WooCommerce < 1.2.7 - Authenticated (Subscriber+) PHP Object Injection
Published
2026-03-23
Title
Apicona <= 24.1.0 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-01-24
Title
Better Search Replace < 1.4.5 - Unauthenticated PHP Object Injection