Gravitate QA Tracker <= 1.2.1 – Unauthenticated PHP Object Injection | CVE 2017-18605

Description

The plugin gravitate-qa-tracker insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector.

Proof of Concept

Attack is exploitable over HTTP requests to sites with the gravitate-qa-tracker Plugin.

The original researcher notified WordPress Plugins team.

Affects Plugins

gravitate-qa-tracker

No known fix

References

CVE

CVE-2017-18605

URL

https://en-gb.wordpress.org/plugins/gravitate-qa-tracker/

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

CVSS

9.8 (critical)

Miscellaneous

Submitter

Robert R

Submitter website

https://pagely.com

Submitter twitter

@iamlei

Verified

WPVDB ID

59d71c12-081b-4357-87e1-e15b23fb750e

Timeline

Publicly Published

2017-04-27 (about 9 years ago)

Added

2017-05-21 (about 8 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-08-08

Title

Connector for Gravity Forms and Google Sheets < 1.2.7 - Unauthenticated PHP Object Injection

Published

2026-04-20

Title

PDF Invoices & Packing Slips for WooCommerce < 5.9.0 - Authenticated (Shop manager+) PHP Object Injection

Published

2023-12-27

Title

Rencontre – Dating Site < 3.11.2 - Subscriber+ PHP Object Injection

Published

2024-08-20

Title

Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider < 2.0.0 - Unauthenticated PHP Object Injection

Published

2022-10-10

Title

PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection