WordPress Plugin Vulnerabilities

Welcart e-Commerce < 1.9.36 - Authenticated PHP Object Injection

Description

The plugin unserialises (via usces_unserialize()) the content of the usces_cookie cookie, which could lead to a PHP Object Injection issue.

Affects Plugins

Plugin icon
usc-e-shop
Fixed in 1.9.36

References

CVE
CVE-2020-28339
URL
https://www.wordfence.com/blog/2020/11/object-injection-vulnerability-in-welcart-e-commerce-plugin/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Ram Gall (Wordfence)
Verified
No
WPVDB ID
177acb3e-b7a2-4a86-9808-4b90d1dbe146

Timeline

Publicly Published
2020-11-05 (about 3 years ago)
Added
2020-11-05 (about 3 years ago)
Last Updated
2020-11-09 (about 3 years ago)

Other

Published
Title
Published
2022-12-09
Title
Custom Field Template < 2.5.8 - Admin+ PHP Object Injection
Published
2016-12-09
Title
BP Profile Search <= 4.5.3 - PHP Object Injection
Published
2018-12-22
Title
WP Job Manager < 1.31.3 - Phar Deserialization
Published
2023-12-05
Title
Genesis Simple Love <= 2.0 - Unauthenticated PHP Object Injection
Published
2019-02-15
Title
Advanced Custom Fields <= 5.7.10 - Unserialize of user input