WordPress Plugin Vulnerabilities

Smart Slider 3 < 3.5.1.11 - PHP Object Injection

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.

Proof of Concept

Affects Plugins

Plugin icon
smart-slider-3
Fixed in 3.5.1.11

References

CVE
CVE-2022-3357

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter website
https://github.com/ngduyquockhanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
2e28a4e7-e7d3-485c-949c-e300e5b66cbd

Timeline

Publicly Published
2022-10-10 (about 3 years ago)
Added
2022-10-10 (about 3 years ago)
Last Updated
2022-10-10 (about 3 years ago)

Other

Published
Title
Published
2024-01-30
Title
WordPress < 6.4.3 - Deserialization of Untrusted Data
Published
2024-09-30
Title
Unseen Blog <= 1.0.0 - Authenticated (Contributor+) PHP Object Injection
Published
2022-12-05
Title
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
Published
2024-01-05
Title
Gecka Terms Thumbnails <= 1.1 - Authenticated (Subscriber+) PHP Object Injection
Published
2020-10-29
Title
WordPress < 5.5.2 - Hardening Deserialization Requests