WordPress Plugin Vulnerabilities

WP-Mobile-BankID-Integration < 1.0.1 - PHP Object Injection

Description

The WP-Mobile-BankID-Integration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and excluding, 1.0.1 via deserialization of untrusted input through the getAuthResponseFromDB function. This makes it possible for attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
WP-Mobile-BankID-Integration
Fixed in 1.0.1

References

CVE
CVE-2023-51700
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4712b12f-097b-4106-b2ba-e4c6cb7c32c2

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.8 (critical)

Miscellaneous

Verified
No
WPVDB ID
9526ea49-c3ca-4b21-8cb1-2e2e5cfb520c

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-02-07 (about 2 years ago)
Last Updated
2024-02-07 (about 2 years ago)

Other

Published
Title
Published
2023-02-23
Title
BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
Published
2025-02-07
Title
WP All Import Pro < 4.9.8 - Authenticated (Administrator+) PHP Object Injection via Import File
Published
2024-01-31
Title
ERE Recently Viewed < 2.0 - Unauthenticated PHP Object Injection
Published
2025-10-11
Title
Togo < 1.0.4 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-12-11
Title
WP Mega Menu <= 1.4.2 - Authenticated (Administrator+) PHP Object Injection