WordPress Plugin Vulnerabilities

Feed Them Social < 2.9.8.6 - Unauthenticated PHAR Deserialisation

Description

The plugin does not validate the fts_url parameter, which could lead to PHAR deserialisation when an attacker manage to upload a malicious file and a suitable gadget chain is present

Affects Plugins

Plugin icon
feed-them-social
Fixed in 2.9.8.6

References

CVE
CVE-2022-2437

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Rasoul Jahanshahi
Verified
Yes
WPVDB ID
8588377c-26d2-41fe-a12e-57c532ed91ca

Timeline

Publicly Published
2022-07-18 (about 3 years ago)
Added
2022-07-24 (about 3 years ago)
Last Updated
2023-04-18 (about 2 years ago)

Other

Published
Title
Published
2023-11-15
Title
Welcart e-Commerce < 2.9.6 - Admin+ PHP Object Injection
Published
2024-03-29
Title
Filter Custom Fields & Taxonomies Light <= 1.05 - Authenticated (Contributor+) PHP Object Injection
Published
2025-05-19
Title
User Manager < 2.9.13 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-08-25
Title
YouTube Showcase < 3.5.2 - Unauthenticated PHP Object Injection
Published
2017-04-27
Title
Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 - Unauthenticated PHP Object Injection