WordPress Plugin Vulnerabilities

CiviCRM < 5.24.3 - Authenticated Phar Deserialization

Description

The plugin was vulnerable to Authenticated Phar Deserialization. The vulnerability was discovered by sonarsource.

Update to versions 5.24.3 and above to patch the vulnerability.

Affects Plugins

Plugin icon
civicrm
Fixed in 5.24.3

References

CVE
CVE-2020-36388
URL
https://blog.sonarsource.com/civicrm-code-execution-vulnerability-chain-explained/
YouTube Video

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.7 (medium)

Miscellaneous

Original Researcher
Dennis Brinkrolf (sonarsource)
Verified
No
WPVDB ID
dccfdd62-d164-4765-88c3-4d927b8b673d

Timeline

Publicly Published
2021-06-22 (about 4 years ago)
Added
2021-06-23 (about 4 years ago)
Last Updated
2022-01-02 (about 4 years ago)

Other

Published
Title
Published
2025-01-16
Title
Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords <= 3.1 - Unauthenticated PHP Object Injection
Published
2025-04-21
Title
WP FoodBakery <= 3.3 - Unauthenticated PHP Object Injection
Published
2025-03-19
Title
Order Export & Order Import for WooCommerce < 2.6.1 - Authenticated (Admin+) PHP Object Injection via form_data Parameter
Published
2025-01-06
Title
Compare Products for WooCommerce < 3.2.2 - Unauthenticated PHP Object Injection
Published
2017-04-27
Title
Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 - Unauthenticated PHP Object Injection