WordPress Plugin Vulnerabilities

Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection

Description

The plugin unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Proof of Concept

Affects Plugins

Plugin icon
auxin-elements
Fixed in 2.10.7

References

CVE
CVE-2022-3359

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter website
https://github.com/ngduyquockhanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
08f3ce22-94a0-496a-aaf9-d35b6b0f5bb6

Timeline

Publicly Published
2022-11-17 (about 3 years ago)
Added
2022-11-17 (about 3 years ago)
Last Updated
2023-01-23 (about 2 years ago)

Other

Published
Title
Published
2025-03-21
Title
Export and Import Users and Customers < 2.6.3 - Authenticated (Admin+) PHP Object Injection via form_data Parameter
Published
2025-03-25
Title
Product Import Export for WooCommerce < 2.5.1 - Authenticated (Admin+) PHP Object Injection via form_data Parameter
Published
2016-11-15
Title
Google Analytics Counter Tracker < 3.5.0 - Unauthenticated PHP Object Injection
Published
2025-01-06
Title
Compare Products for WooCommerce < 3.2.2 - Unauthenticated PHP Object Injection
Published
2023-01-04
Title
Revive Old Posts – Social Media Auto Post and Scheduling Plugin < 9.0.11 - PHP Object Injection