CVE-2019-12240

An unauthenticated attacker can trigger insecure deserialization by sending a crafted HTTP GET request to `graph.php` with the `type` parameter set to any value other than `'over_time'` and malicious serialized payloads in the `s_values`, `t_values`, or `c_values` parameters [ref_id=1]. No authentication is required, and the attacker-controlled data flows directly into PHP's `unserialize()` call, which can instantiate arbitrary PHP objects and potentially execute code via gadget chains [CWE-502].

The vulnerability resides in `graph.php` of the Virim plugin 0.4 for WordPress. Lines 51–53 pass the `$_GET['s_values']`, `$_GET['t_values']`, and `$_GET['c_values']` parameters directly to PHP's `unserialize()` function without any sanitization or validation [ref_id=1].

The advisory does not provide a patch; it only documents the vulnerable code and recommends following OWASP guidance on insecure deserialization [ref_id=1]. To remediate, the plugin should replace `unserialize()` with a safe alternative such as JSON decoding (`json_decode()`) or implement strict input validation and allow-listing of expected data formats.