WordPress Plugin Vulnerabilities

ToTop Link <= 1.7.1 - Unauthenticated PHP Object Injection

Description

The plugin passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.

Proof of Concept

Affects Plugins

Plugin icon
totop-link
No known fix

References

CVE
CVE-2021-24857

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.6 (medium)

Miscellaneous

Original Researcher
Muhammed Kara
Submitter
Muhammed Kara
Verified
Yes
WPVDB ID
518204d8-fbf5-4bfa-9db5-835f908f8d8e

Timeline

Publicly Published
2021-11-15 (about 4 years ago)
Added
2021-11-15 (about 4 years ago)
Last Updated
2022-04-23 (about 3 years ago)

Other

Published
Title
Published
2025-11-08
Title
Email Subscribers & Newsletters < 5.9.11 - Authenticated (Administrator+) PHP Object Injection
Published
2025-09-24
Title
TranslatePress < 2.10.3 - Unauthenticated PHP Object Injection
Published
2025-03-25
Title
WordPress Importer < 0.8.4 - Admin+ PHP Object Injection
Published
2022-07-18
Title
Feed Them Social < 2.9.8.6 - Unauthenticated PHAR Deserialisation
Published
2025-06-24
Title
ThemeMove Core <= 1.4.2 - Authenticated (Subscriber+) PHP Object Injection