WordPress Plugin Vulnerabilities

NinjaFirewall < 4.3.4 - Authenticated (admin+) PHAR Deserialization

Description

The plugin was affected by a PHAR deserialisation issue, which may allow admin users to execute arbitrary code on the remote host. The plugin did not have a POP chain available, so another plugin/theme with one would need to be present, other conditions for the attack are described in the vendor's post.

Affects Plugins

Plugin icon
ninjafirewall
Fixed in 4.3.4

References

URL
https://blog.nintechnet.com/security-issue-fixed-in-ninjafirewall-wp-edition/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
3.3 (low)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
Yes
WPVDB ID
63180c28-6d05-4f97-9565-b48b6d9a8cc2

Timeline

Publicly Published
2021-05-30 (about 4 years ago)
Added
2021-05-30 (about 4 years ago)
Last Updated
2021-05-31 (about 4 years ago)

Other

Published
Title
Published
2025-09-07
Title
Scape <= 1.5.13 - Unauthenticated PHP Object Injection
Published
2025-02-24
Title
NHR Options Table Manager < 1.1.3 - Authenticated (Admin+) PHP Object Injection
Published
2025-11-26
Title
Houzez < 4.1.7 - Authenticated (Subscriber+) PHP Object Injection via Saved Search
Published
2024-01-30
Title
ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks < 3.1.5 - PHP Object Injection via wopb_wishlist and wopb_compare
Published
2020-08-03
Title
Newsletter < 6.8.2 - Authenticated PHP Object Injection