WordPress Plugin Vulnerabilities

Category Order and Taxonomy Terms Order < 1.5.3 - Authenticated PHP Object Injection

Description

Usage of unserialize() on user input in the saving request of the orders leads to PHP object injection vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
taxonomy-terms-order
Fixed in 1.5.3

References

URL
https://plugins.trac.wordpress.org/changeset/1827161/taxonomy-terms-order

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Submitter
Karim El Ouerghemmi
Submitter website
https://ripstech.com
Verified
No
WPVDB ID
93c2e853-94f7-4dba-b2b4-d529cca89812

Timeline

Publicly Published
2018-02-28 (about 8 years ago)
Added
2018-03-02 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2025-04-14
Title
Question Answer <= 1.2.70 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-10-09
Title
Talkback <= 1.0 - Unauthenticated PHP Object Injection
Published
2025-03-21
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.4.6 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-03-04
Title
ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.91 - Unauthenticated PHP Object Injection
Published
2025-12-30
Title
Tech Life CPT <= 16.4 - Authenticated (Contributor+) PHP Object Injection