WordPress Plugin Vulnerabilities

Five Star Restaurant Menu < 2.2.1 - Unauthenticated PHP Object Injection

Description

The plugin unserialised the fdm_cart cookie value without any sanitisation or validation first, when the Ordering setting of the plugin was enabled, leading to a PHP object injection which could lead to RCE

Affects Plugins

Plugin icon
food-and-drink-menu
Fixed in 2.2.1

References

CVE
CVE-2020-29045
URL
https://appcheck-ng.com/cve-2020-29045/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.9 (high)

Miscellaneous

Original Researcher
Nick Blundell (AppCheck Ltd)
Verified
Yes
WPVDB ID
40ce7e3b-acf2-4e09-8216-1bb1199d234b

Timeline

Publicly Published
2021-03-10 (about 4 years ago)
Added
2021-03-10 (about 4 years ago)
Last Updated
2021-03-12 (about 4 years ago)

Other

Published
Title
Published
2026-02-18
Title
Valenti <= 5.6.3.5 - Authenticated (Contributor+) PHP Object Injection
Published
2024-03-28
Title
Lightbox slider – Responsive Lightbox Gallery < 1.10.0 - Contributor+ PHP Object Injection
Published
2024-11-12
Title
Advanced Order Export For WooCommerce < 3.5.6 - Unauthenticated PHP Object Injection via Order Details
Published
2023-12-06
Title
WP 6.4-6.4.1 - POP Chain
Published
2022-12-27
Title
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection