AJAX Random Posts <= 0.3.3 – Unauthenticated PHP Object Injection

Description

The plugin ajax-random-posts insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector.

The original researcher notified WordPress Plugins team.

Proof of Concept

Attack is exploitable over AJAX calls on sites with the ajax-random-posts Plugin enabled.

Affects Plugins

ajax-random-posts

No known fix

References

URL

https://en-gb.wordpress.org/plugins/ajax-random-posts/

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Submitter

Robert R

Submitter website

https://pagely.com/

Submitter twitter

@iamlei

Verified

WPVDB ID

b8931bc8-ebde-461b-b171-19b58709f1d6

Timeline

Publicly Published

2017-04-27 (about 9 years ago)

Added

2017-05-21 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2024-10-24

Title

Namaste! LMS < 2.6.4 - Authenticated (Subscriber+) PHP Object Injection

Published

2026-03-23

Title

Apicona <= 24.1.0 - Authenticated (Subscriber+) PHP Object Injection

Published

2023-12-05

Title

Sayfa Sayaç <= 2.6 - Unauthenticated PHP Object Injection

Published

2025-02-24

Title

NHR Options Table Manager < 1.1.3 - Authenticated (Admin+) PHP Object Injection

Published

2026-03-23

Title

Goldish < 3.47 - Unauthenticated PHP Object Injection