Social Media Share Buttons <= 2.1.0 – Authenticated (Subscriber+) PHP Object Injection | CVE 2024-1685 | Plugin Vulnerabilities

Description

The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

social-media-builder

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9c17d18a-090f-4b35-a257-cfc0a16d5459

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

bf6c9b60-da15-4258-9e68-57e191cd032c

Timeline

Publicly Published

2024-03-15 (about 2 years ago)

Added

2024-03-15 (about 2 years ago)

Last Updated

2024-03-15 (about 2 years ago)

Other

Published

Title

Published

2023-11-10

Title

Welcart e-Commerce < 2.9.5 - Unauthenticated PHP Object Injection

Published

2025-08-27

Title

WpEvently < 4.4.9 - Authenticated (Contributor+) PHP Object Injection

Published

2020-12-08

Title

WP Hotel Booking < 1.10.4 - Unauthenticated PHP Object Injection

Published

2025-10-02

Title

Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 - Contributor+ Object Instantiation

Published

2024-12-11

Title

Print Science Designer < 1.3.153 - Unauthenticated PHP Object Injection