WordPress Plugin Vulnerabilities

WPtouch < 4.3.45 - Admin+ PHP Object Injection

Description

The plugin unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog.

Affects Plugins

Plugin icon
wptouch
Fixed in 4.3.45

References

CVE
CVE-2022-3417

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter website
https://github.com/ngduyquockhanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
55772932-eebd-475b-b5df-e80fab288ee5

Timeline

Publicly Published
2022-12-19 (about 1 years ago)
Added
2022-12-19 (about 1 years ago)
Last Updated
2022-12-19 (about 1 years ago)

Other

Published
Title
Published
2023-10-17
Title
Themify Ultra < 7.3.6 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-04-25
Title
XStore Core <= 5.3.5 - Unauthenticated PHP Object Injection
Published
2016-11-17
Title
Post Indexer <= 3.0.6.1 - PHP Object Injection via MitM
Published
2018-12-22
Title
WP Job Manager < 1.31.3 - Phar Deserialization
Published
2023-01-02
Title
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection