WordPress Plugin Vulnerabilities

Invite Anyone <= 1.3.18 - Unauthenticated PHP Object Injection

Description

The plugin invite-anyone insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector.

Proof of Concept

Affects Plugins

Plugin icon
invite-anyone
Fixed in 1.3.19

References

URL
https://plugins.trac.wordpress.org/changeset/1732512/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Submitter
Robert R
Submitter website
https://pagely.com
Submitter twitter
@iamlei
Verified
No
WPVDB ID
8b07ede0-3713-473a-a275-8c10829eab9b

Timeline

Publicly Published
2017-10-12 (about 8 years ago)
Added
2017-10-13 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2024-10-15
Title
GiveWP < 3.16.4 - Unauthenticated PHP Object Injection to Remote Code Execution
Published
2025-06-16
Title
Integration for Contact Form 7 and Zoho CRM, Bigin < 1.3.1 - Unauthenticated PHP Object Injection
Published
2024-04-22
Title
Import and export users and customers < 1.26.3 - Authenticated (Admin+) PHP Object Injection
Published
2025-08-05
Title
Groundhogg < 4.2.2.1 - Authenticated (Sales Representative+) PHP Object Injection
Published
2024-01-03
Title
HTML5 SoundCloud Player <= 2.8.0 - Authenticated (Author+) PHP Object Injection