WordPress Plugin Vulnerabilities

WP Job Manager < 1.29.3 - Unauthenticated Object Injection

Description

Preauth PHP Object injection - unauthenticated attacker could supply his own payload and system to perform unserialize over its data.

Affects Plugins

Plugin icon
wp-job-manager
Fixed in 1.29.3

References

URL
https://medium.com/websec/wp-job-manager-1-29-2-preauth-poi-unserialize-of-user-supplied-data-d90eafa6923b
URL
https://github.com/Automattic/WP-Job-Manager/commit/e599ba5dbd96d8eea24ff33c4f0b71879b0a57d5#diff-580ccc67d45d3769b54696bca2beb42b
URL
https://medium.com/websec/wordpress-4-8-3-wrecking-ball-b172e2511fad
URL
https://hackerone.com/reports/308489

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.4 (medium)

Miscellaneous

Submitter
Slavco
Submitter website
https://medium.com/websec
Submitter twitter
mslavco
Verified
No
WPVDB ID
3c520e91-c686-4cc3-93c3-823f6a60969c

Timeline

Publicly Published
2018-03-02 (about 8 years ago)
Added
2018-03-15 (about 8 years ago)
Last Updated
2021-09-21 (about 4 years ago)

Other

Published
Title
Published
2024-03-29
Title
Essential Addons for Elementor < 5.9.14 - Author+ PHP Object Injection
Published
2018-11-23
Title
Patreon Connect < 1.2.2 - PHP Object Injection
Published
2026-01-27
Title
ModelTheme Addons for WPBakery and Elementor < 1.5.6 - Authenticated (Contributor+) PHP Object Injection
Published
2023-01-11
Title
WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection
Published
2024-03-28
Title
Lightbox slider – Responsive Lightbox Gallery < 1.10.0 - Contributor+ PHP Object Injection