WordPress Plugin Vulnerabilities

WP Simple Galleries <= 1.34 - Contributor+ PHP Object Injection

Description

The plugin does not properly handle deserialization of untrusted input from the 'wpsimplegallery_gallery' post meta via 'wpsgallery' shortcode.

Affects Plugins

Plugin icon
wp-simple-galleries
No known fix

References

CVE
CVE-2023-5583
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0dc8f7cf-d8be-4229-b823-3bd9bc9f6eda

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
10f73372-e108-4987-9bc8-a51e5d5ec789

Timeline

Publicly Published
2023-10-29 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2024-10-14
Title
TAKETIN To WP Membership <= 2.8.17 - Subscriber+ PHP Object Injection
Published
2026-04-16
Title
Reina < 2.2 - Unauthenticated PHP Object Injection
Published
2026-03-23
Title
Kamperen < 1.3 - Unauthenticated PHP Object Injection
Published
2022-08-17
Title
Download Manager < 3.2.50 - Contributor+ PHAR Deserialization
Published
2025-08-07
Title
YITH WooCommerce Compare < 3.7.0 - Authenticated (Admin+) PHP Object Injection