WordPress Plugin Vulnerabilities

White Label CMS < 2.5 - Admin+ PHP Object Injection

Description

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

Affects Plugins

Plugin icon
white-label-cms
Fixed in 2.5

References

CVE
CVE-2022-4302

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
3.3 (low)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
b7707a15-0987-4051-a8ac-7be2424bcb01

Timeline

Publicly Published
2022-12-08 (about 3 years ago)
Added
2022-12-08 (about 3 years ago)
Last Updated
2023-09-20 (about 2 years ago)

Other

Published
Title
Published
2023-08-08
Title
Weaver Show Posts < 1.8.1 - Admin+ PHP Object Injection
Published
2025-08-21
Title
PressApps Knowledge Base Contextual Sidebar Addon <= 4.2.1 - Unauthenticated PHP Object Injection
Published
2025-04-02
Title
GNUCommerce <= 1.5.4 - Unauthenticated PHP Object Injection
Published
2025-09-03
Title
Quiz And Survey Master < 10.2.6 - Unauthenticated PHP Object Injection
Published
2025-08-12
Title
Database for Contact Form 7, WPforms, Elementor forms < 1.4.4 - Unauthenticated PHP Object Injection to Arbitrary File Deletion