WordPress Plugin Vulnerabilities

Broken Link Checker < 1.11.17 - Admin+ PHAR Deserialization

Description

The plugin does not validate a parameter, which could allow high privilege users such as admin to perform PHAR deserialisation when a suitable gadget chain is also present

Affects Plugins

Plugin icon
broken-link-checker
Fixed in 1.11.17

References

CVE
CVE-2022-2438

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Rasoul Jahanshahi
Verified
Yes
WPVDB ID
ecfc0221-92c0-49a6-88a3-f1379303bb56

Timeline

Publicly Published
2022-08-16 (about 1 years ago)
Added
2022-08-17 (about 1 years ago)
Last Updated
2023-05-09 (about 11 months ago)

Other

Published
Title
Published
2024-03-05
Title
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget < 1.6.8 - Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup
Published
2017-10-02
Title
RegistrationMagic-Custom Registration Forms <= 3.7.9.2 - Unauthenticated PHP Object Injection
Published
2017-04-27
Title
Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 - Unauthenticated PHP Object Injection
Published
2023-04-06
Title
Formidable Forms < 6.2 - Unauthenticated PHP Object Injection
Published
2024-01-05
Title
Gecka Terms Thumbnails <= 1.1 - Authenticated (Subscriber+) PHP Object Injection