WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

NinjaFirewall < 4.3.4 - Authenticated (admin+) PHAR Deserialization

Description

The plugin was affected by a PHAR deserialisation issue, which may allow admin users to execute arbitrary code on the remote host. The plugin did not have a POP chain available, so another plugin/theme with one would need to be present, other conditions for the attack are described in the vendor's post.

Affects Plugins

ninjafirewall
Fixed in version 4.3.4

References

URL
https://blog.nintechnet.com/security-issue-fixed-in-ninjafirewall-wp-edition/

Classification

Type

OBJECT INJECTION

OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Original Researcher

Chloe Chamberland

Verified

Yes

WPVDB ID
63180c28-6d05-4f97-9565-b48b6d9a8cc2

Timeline

Publicly Published

2021-05-30 (about 11 months ago)

Added

2021-05-30 (about 11 months ago)

Last Updated

2021-05-31 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin