WordPress Plugin Vulnerabilities

RSVPMaker < 10.6.7 - Unauthenticated PHP Object Injection

Description

The RSVPMaker plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 10.6.6 via deserialization of untrusted input from the $details variable. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
rsvpmaker
Fixed in 10.6.7

References

CVE
CVE-2023-25054
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/647cc71d-4d3a-4722-b498-baaee2450809

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.8 (Critical)

Miscellaneous

Original Researcher
Ravi Dharmawan
Verified
No
WPVDB ID
5e9daca9-2f4a-4dce-8438-81aa922d1299

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2025-05-21
Title
DZS Video Gallery < 12.40 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-03-14
Title
PHP/MySQL CPU performance statistics <= 1.2.1 - Unauthenticated PHP Object Injection
Published
2025-04-21
Title
Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection via Path Traversal
Published
2024-08-07
Title
The Next <= 1.1.0 - Authenticated (Contributor+) PHP Object Injection
Published
2022-08-22
Title
Ajax Load More < 5.5.4 - PHAR Deserialization via CSRF