WPtouch < 4.3.45 - Admin+ PHP Object Injection
Description
The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WPtouch WordPress plugin before 4.3.45 unserializes imported settings, allowing PHP object injection via malicious file.
Vulnerability
The WPtouch WordPress plugin versions before 4.3.45 unserializes the content of an imported settings file without proper sanitization [1]. This allows PHP object injection when a user imports a malicious settings file and a suitable gadget chain is present on the blog. The vulnerability requires the user to have the capability to import settings (typically Admin+).
Exploitation
An attacker with administrative access to the WordPress site can import a specially crafted settings file containing serialized PHP objects. Upon import, the plugin unserializes the data, triggering the gadget chain to execute arbitrary code [1]. No additional user interaction is required beyond the import action.
Impact
Successful exploitation leads to arbitrary code execution on the server, potentially allowing full compromise of the WordPress site, including data theft, privilege escalation, and further attacks [1].
Mitigation
The vulnerability is fixed in WPtouch version 4.3.45. Users should update to this version immediately. No workarounds are documented [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <4.3.45
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/55772932-eebd-475b-b5df-e80fab288ee5mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.