WordPress Plugin Vulnerabilities

WP Custom Admin Interface < 7.29 - Admin+ PHP Object Injection

Description

The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

Affects Plugins

Plugin icon
wp-custom-admin-interface
Fixed in 7.29

References

CVE
CVE-2022-4043

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
ffff8c83-0a59-450a-9b40-c7f3af7205fc

Timeline

Publicly Published
2022-12-13 (about 3 years ago)
Added
2022-12-13 (about 3 years ago)
Last Updated
2023-09-19 (about 2 years ago)

Other

Published
Title
Published
2024-10-18
Title
Advanced Advertising System <= 1.3.1 - Unauthenticated PHP Object Injection
Published
2023-09-13
Title
Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via products
Published
2025-04-24
Title
Flickr Shortcode Importer <= 2.2.3 - Authenticated (Administrator+) PHP Object Injection
Published
2025-09-04
Title
Knowledge Base <= 2.9 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-01-21
Title
Save as PDF Plugin by Pdfcrowd < 4.4.1 - Unauthenticated PHP Object Injection