WordPress Plugin Vulnerabilities

Ultimate Reviews < 2.1.33 - Unauthenticated PHP Object Injection

Description

There were three occurrences in the plugin where an unauthenticated user could inject a serialized PHP object via a cookie, which could potentially lead to a PHP object injection vulnerability.

Affects Plugins

Plugin icon
ultimate-reviews
Fixed in 2.1.33

References

CVE
CVE-2020-36726
URL
https://blog.nintechnet.com/wordpress-ultimate-reviews-plugin-fixed-insecure-deserialization-vulnerability/
URL
https://plugins.trac.wordpress.org/changeset/2409141

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.6 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
75ad8726-09a5-49b7-9534-61371a543764

Timeline

Publicly Published
2020-11-10 (about 5 years ago)
Added
2020-11-10 (about 5 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2025-07-11
Title
URL Shortener <= 3.0.7 - Unauthenticated PHP Object Injection
Published
2025-03-28
Title
MDJM Event Management < 1.7.5.3 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-08-07
Title
News Flash <= 1.1.0 - Authenticated (Editor+) PHP Object Injection
Published
2024-06-18
Title
Photo Video Gallery Master <= 1.5.3 - Authenticated (Contributor+) PHP Object Injection
Published
2025-04-15
Title
Kata Plus < 1.5.4 - Unauthenticated PHP Object Injection