WordPress Plugin Vulnerabilities

NinjaForms < 3.6.13 - Admin+ PHP Objection Injection

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Proof of Concept

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.6.13

References

CVE
CVE-2022-2903

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Alessio Santoru
Submitter
Alessio Santoru
Submitter website
https://insecurity.blog
Submitter twitter
santoru_
Verified
Yes
WPVDB ID
255b98ba-5da9-4424-a7e9-c438d8905864

Timeline

Publicly Published
2022-09-05 (about 3 years ago)
Added
2022-09-05 (about 3 years ago)
Last Updated
2022-09-05 (about 3 years ago)

Other

Published
Title
Published
2024-05-14
Title
Order Export & Order Import for WooCommerce < 2.5.0 - Authenticated (Administrator+) PHP Object Injection
Published
2025-06-23
Title
WP Optimize By xTraffic <= 5.1.6 - Unauthenticated PHP Object Injection
Published
2025-09-23
Title
Goldenblatt < 1.3.0 - Unauthenticated PHP Object Injection
Published
2025-08-13
Title
Eventin < 4.0.32 - Authenticated (Contributor+) PHP Object Injection
Published
2025-09-03
Title
LTL Freight Quotes - TQL Edition < 1.2.7 - Authenticated (Administrator+) PHP Object Injection