WordPress Plugin Vulnerabilities

MainWP Code Snippets Extension < 4.0.3 - Subscriber+ PHP Objection Injection

Description

The plugin unserializes user input, which could allow any authenticated users, such as subscriber to perform PHP Object Injection

Affects Plugins

Plugin icon
mainwp-code-snippets-extension
Fixed in 4.0.3

References

CVE
CVE-2023-23645

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
48710ddb-1f8e-4849-b8ba-764374b11fb3

Timeline

Publicly Published
2023-01-18 (about 3 years ago)
Added
2023-03-23 (about 3 years ago)
Last Updated
2023-03-23 (about 3 years ago)

Other

Published
Title
Published
2025-07-01
Title
Amwerk < 1.3.0 - Unauthenticated PHP Object Injection
Published
2020-11-05
Title
Welcart e-Commerce < 1.9.36 - Authenticated PHP Object Injection
Published
2025-02-17
Title
Brooklyn Theme < 4.9.9.3 - Authenticated (Subscriber+) PHP Object Injection in ot_decode
Published
2025-11-18
Title
WP Import – Ultimate CSV XML Importer for WordPress < 7.34 - Authenticated (Administrator+) PHP Object Injection via CSV Import
Published
2019-08-09
Title
Formidable < 4.02.01 - Unsafe Deserialisation