WordPress Plugin Vulnerabilities

Hubbub Lite – Fast, Reliable Social Network Sharing Buttons < 1.33.2 - PHP Object Injection

Description

The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpsp_maybe_unserialize' function. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
social-pug
Fixed in 1.33.2

References

CVE
CVE-2024-2501
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3999c59-57a9-410c-a550-7d198bdb25ea

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
31be7d44-f300-4edc-855d-37b995a2503c

Timeline

Publicly Published
2024-03-27 (about 2 years ago)
Added
2024-03-27 (about 2 years ago)
Last Updated
2024-03-27 (about 2 years ago)

Other

Published
Title
Published
2026-03-05
Title
WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More < 2.3.4 - Authenticated (Shop manager+) PHP Object Injection
Published
2025-04-01
Title
WpTravelly < 1.8.8 - Authenticated (Contributor+) PHP Object Injection
Published
2022-12-27
Title
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
Published
2025-04-21
Title
Grand Conference <= 5.2 - Unauthenticated PHP Object Injection
Published
2026-01-22
Title
Eventin < 4.1.4 - Authenticated (Contributor+) PHP Object Injection