Asgaros Forum < 2.8.0 – Unauthenticated PHP Object Injection in prepare_unread_status | CVE 2024-22284 | Plugin Vulnerabilities

Description

The Asgaros Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input in the prepare_unread_status function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Fixed in 2.8.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/02b75034-8db1-465b-837e-014e2c2e8b4d

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Le Ngoc Anh

Verified

No

WPVDB ID

5d19ae65-7ec4-4254-a046-7d2a2400a465

Timeline

Publicly Published

2024-01-16 (about 2 years ago)

Added

2024-01-22 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-03-01

Title

Education Center | LMS & Online Courses WordPress Theme < 3.6.11 - PHP Object Injection

Published

2025-08-09

Title

Gravity Forms FreshDesk < 1.3.6 - Unauthenticated PHP Object Injection

Published

2024-11-18

Title

QRMenu Restaurant QR Menu Lite <= 1.0.3 - Authenticated (Contributor+) PHP Object Injection

Published

2021-08-02

Title

Bold Page Builder < 3.1.6 - PHP Object Injection

Published

2025-04-17

Title

Ultimate Store Kit Elementor Addons < 2.4.1 - Unauthenticated PHP Object Injection