Themify Ultra < 7.3.6 – Authenticated (Subscriber+) PHP Object Injection | CVE 2023-46147 | Theme Vulnerabilities

Description

The themify-ultra theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.3.3 via deserialization of untrusted input. This makes it possible for authenticated attackers with subscriber access and above to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Themes

Fixed in 7.3.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/17c6a91c-e2a6-4f17-b145-145e9e7a0079

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

081100e1-c594-4c0f-8df3-0b6c0f511996

Timeline

Publicly Published

2023-10-17 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-11-28 (about 2 years ago)

Other

Published

Title

Published

2025-01-21

Title

AI Power: Complete AI Pack < 1.8.97 - Authenticated (Admin+) PHP Object Injection via wpaicg_export_ai_forms

Published

2024-09-24

Title

Prisna GWT - Google Website Translator < 1.4.12 - Authenticated (Admin+) PHP Object Injection

Published

2025-01-16

Title

Quick Count <= 3.00 - Unauthenticated PHP Object Injection

Published

2022-08-17

Title

Download Manager < 3.2.50 - Contributor+ PHAR Deserialization

Published

2025-04-10

Title

WpBookingly <= 1.3.0 - Unauthenticated PHP Object Injection