WordPress Plugin Vulnerabilities

MarketPress <= 3.2.6 - PHP Object Injection

Description

The MarketPress plugin (installs to a directory named wordpress-ecommerce) versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin.

Proof of Concept

Affects Plugins

Plugin icon
wordpress-ecommerce
Fixed in 3.2.7

References

URL
https://premium.wpmudev.org/project/e-commerce/
URL
https://plugins.trac.wordpress.org/changeset/1735475/wordpress-ecommerce

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Submitter
Robert R
Submitter website
https://pagely.com
Submitter twitter
@iamlei
Verified
No
WPVDB ID
a414a92a-3e3a-4b65-af6a-6d54e5788068

Timeline

Publicly Published
2017-10-01 (about 8 years ago)
Added
2017-09-28 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2023-09-11
Title
Read More & Accordion < 3.2.7 - Admin+ PHP Object Injection
Published
2026-02-09
Title
Travelicious < 1.6.7 - Unauthenticated PHP Object Injection
Published
2026-02-26
Title
Good Energy <= 1.7.7 - Unauthenticated PHP Object Injection
Published
2026-02-24
Title
Celeste <= 1.3.6 - Unauthenticated PHP Object Injection
Published
2019-08-09
Title
Formidable < 4.02.01 - Unsafe Deserialisation