WordPress Plugin Vulnerabilities

Simple Ads Manager - Unauthenticated PHP Object Injection

Description

The simple-ads-manager WordPress plugin was affected by an Unauthenticated PHP Object Injection security vulnerability. The exploitation of this bug could, among other things, lead to SQL Injection attacks.

Affects Plugins

Plugin icon
simple-ads-manager
No known fix

References

URL
https://sumofpwn.nl/advisory/2016/simple_ads_manager_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html
URL
https://seclists.org/fulldisclosure/2017/Feb/80
URL
https://twitter.com/sumofpwn/status/838701366218481666

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Yorick Koster, Mironov Denis (SolidSoft LLC), Daniil Sigalov (SolidSoft LLC), Maxim Malkov (SolidSoft LLC)
Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
38787b49-c19c-49db-925a-69e2c9cf7a43

Timeline

Publicly Published
2017-03-01 (about 9 years ago)
Added
2017-03-03 (about 9 years ago)
Last Updated
2022-05-07 (about 4 years ago)

Other

Published
Title
Published
2024-03-18
Title
Tourfic < 2.11.19 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-03-06
Title
PDF Invoices and Packing Slips For WooCommerce < 1.3.8 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-07-08
Title
SureForms < 1.7.4 - Unauthenticated PHP Object Injection
Published
2024-02-05
Title
Coupon Referral Program < 1.8.4 - Unauthenticated PHP Object Injection
Published
2025-06-02
Title
Mr. Murphy - Custom Dress Tailoring Clothing WordPress Theme < 1.2.12.1 - Unauthenticated PHP Object Injection