logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

NinjaFirewall < 4.3.4 - Authenticated (admin+) PHAR Deserialization

Description

The plugin was affected by a PHAR deserialisation issue, which may allow admin users to execute arbitrary code on the remote host. The plugin did not have a POP chain available, so another plugin/theme with one would need to be present, other conditions for the attack are described in the vendor's post.

Affects Plugins

ninjafirewall

Fixed in version 4.3.4

References

URL

https://blog.nintechnet.com/security-issue-fixed-in-ninjafirewall-wp-edition/

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Original Researcher

Chloe Chamberland

Verified

Yes

WPVDB ID

63180c28-6d05-4f97-9565-b48b6d9a8cc2

Timeline

Publicly Published

2021-05-30 (about 3 months ago)

Added

2021-05-30 (about 3 months ago)

Last Updated

2021-05-31 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin