BP Profile Search < 4.6 – PHP Object Injection

Description

The plugin bp-profile-search insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector.

This vulnerability was patched in version 4.6, information is being released now as a disclosure period has expired.

Proof of Concept

Attack is exploitable over ajax calls sites with the bp-profile-search plugin.

Affects Plugins

bp-profile-search

Fixed in 4.6

References

URL

https://plugins.trac.wordpress.org/changeset/1528482/bp-profile-search

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Submitter

Robert R

Submitter website

http://www.pagely.com

Submitter twitter

iamlei

Verified

WPVDB ID

81dae282-df66-44bc-8457-3f3d5f3dd7b1

Timeline

Publicly Published

2016-12-09 (about 9 years ago)

Added

2016-12-11 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2026-05-07

Title

User Frontend < 4.3.2 - Subscriber+ PHP Object Injection

Published

2023-04-12

Title

ChatBot < 4.4.7 - Unauthenticated PHP Object Injection

Published

2025-09-05

Title

eDS Responsive Menu <= 1.2 - Authenticated (Administrator+) PHP Object Injection

Published

2026-02-17

Title

Advanced AJAX Product Filters < 3.1.9.7 - Author+ PHP Object Injection

Published

2025-12-25

Title

WpEvently < 5.0.9 - Authenticated (Contributor+) PHP Object Injection