Flatsome < 3.17.6 – Unauthenticated PHP Object Injection | CVE 2023-40555 | Theme Vulnerabilities

Description

The Flatsome theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.17.5 via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Themes

Fixed in 3.17.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bfc4863a-1b8c-4b13-9df1-18f221b40b26

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

622c3d99-b42d-4f34-8c8b-868903bf679d

Timeline

Publicly Published

2023-09-05 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-12-04 (about 2 years ago)

Other

Published

Title

Published

2024-08-30

Title

Attire < 2.0.7 - Authenticated (Contributor+) PHP Object Injection

Published

2023-02-23

Title

BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization

Published

2025-08-08

Title

Connector for Gravity Forms and Google Sheets < 1.2.7 - Unauthenticated PHP Object Injection

Published

2019-05-07

Title

Carts Guru < 1.4.6 - Unauthenticated Object Injection

Published

2024-04-03

Title

Modal Popup Box – Popup Builder, Show Offers And News in Popup < 1.5.3 - Authenticated (Contributor+) PHP Object Injection in awl_modal_popup_box_shortcode