My Geo Posts Free <= 1.2 – Unauthenticated PHP Object Injection

Description

The plugin my-geo-posts-free insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector.

Proof of Concept

Attack is exploitable over HTTP requests to sites with the my-geo-posts-free Plugin.

The original researcher notified WordPress Plugins team.

Affects Plugins

my-geo-posts-free

No known fix

References

URL

https://wordpress.org/plugins/my-geo-posts-free/#developers

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Submitter

Robert R

Submitter website

https://pagely.com

Submitter twitter

@iamlei

Verified

WPVDB ID

422c9482-2f08-4e45-8ac8-f903c925c869

Timeline

Publicly Published

2017-04-27 (about 8 years ago)

Added

2017-05-21 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2025-03-19

Title

Order Export & Order Import for WooCommerce < 2.6.1 - Authenticated (Admin+) PHP Object Injection via form_data Parameter

Published

2024-04-22

Title

Export and Import Users and Customers < 2.5.4 - Authenticated (Admin+) PHP Object Injection

Published

2026-02-10

Title

wpForo Forum < 2.4.14 - Subscriber+ PHP Object Injection

Published

2025-01-10

Title

Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups < 1.3.6 - Missing Authorization to Authenticated (Contributor+) PHP Object Injection

Published

2025-08-02

Title

WeMusic < 1.9.2 - Authenticated (Subscriber+) PHP Object Injection