BuddyForms < 2.7.8 – Unauthenticated PHAR Deserialization | CVE 2023-26326 | Plugin Vulnerabilities

Description

The plugin does not validate the url parameter of its upload_image_from_url AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well

Proof of Concept

1. Create a malicious phar file.
2. Upload the malicious phar file as an image via the upload_image_from_url action.
3. Call the file with the phar:// wrapper using the same action.

Affects Plugins

Fixed in 2.7.8

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable Research)

Verified

No

WPVDB ID

a554091e-39d1-4e7e-bbcf-19b2a7b8e89f

Timeline

Publicly Published

2023-02-23 (about 2 years ago)

Added

2023-02-24 (about 2 years ago)

Last Updated

2023-02-24 (about 2 years ago)

Other

Published

Title

Published

2024-11-13

Title

Migration, Backup, Staging – WPvivid < 0.9.108 - Unauthenticated PHP Object Injection

Published

2022-12-19

Title

WPtouch < 4.3.45 - Admin+ PHP Object Injection

Published

2024-01-03

Title

HTML5 MP3 Player with Folder Feedburner <= 2.8.0 - Authenticated (Author+) PHP Object Injection

Published

2020-11-03

Title

GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection

Published

2025-08-23

Title

PDF Invoice Builder for WooCommerce <= 6.3.2 - Authenticated (Subscriber+) PHP Object Injection