WordPress Plugin Vulnerabilities

WP Custom Admin Interface < 7.29 - Admin+ PHP Object Injection

Description

The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

action=import_settings&settings=O%3a4%3a%22Evil%22%3a0%3a%7b%7d%3b&security=6960d7bb50

Affects Plugins

Plugin icon
wp-custom-admin-interface
Fixed in 7.29

References

CVE
CVE-2022-4043

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
ffff8c83-0a59-450a-9b40-c7f3af7205fc

Timeline

Publicly Published
2022-12-13 (about 1 years ago)
Added
2022-12-13 (about 1 years ago)
Last Updated
2023-09-19 (about 7 months ago)

Other

Published
Title
Published
2017-04-27
Title
Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 - Unauthenticated PHP Object Injection
Published
2018-02-28
Title
Category Order and Taxonomy Terms Order < 1.5.3 - Authenticated PHP Object Injection
Published
2023-12-27
Title
Active Products Tables for WooCommerce < 1.0.6.1 - Unauthenticated PHP Object Injection
Published
2023-05-29
Title
Gravity Forms < 2.7.4 - Unauthenticated PHP Object Injection
Published
2024-03-26
Title
Hercules Core < 6.5 - Authenticated (Subscriber+) PHP Object Injection