VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 34 of 87
  • CVE-2025-32571HigApr 17, 2025
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in TuriTop TuriTop Booking System turitop-booking-system allows Object Injection.This issue affects TuriTop Booking System: from n/a through <= 1.0.10.

  • CVE-2025-31932HigApr 11, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of untrusted data issue exists in BizRobo! all versions. If this vulnerability is exploited, an arbitrary code is executed on the Management Console. The vendor provides the workaround information and recommends to apply it to the deployment environment.

  • CVE-2025-32144HigApr 11, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in PickPlugins Job Board Manager job-board-manager allows Object Injection.This issue affects Job Board Manager: from n/a through <= 2.1.61.

  • CVE-2025-32143HigApr 11, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in PickPlugins Accordion accordions allows Object Injection.This issue affects Accordion: from n/a through <= 2.3.11.

  • CVE-2025-32145HigApr 10, 2025
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.3.6.

  • CVE-2025-30889HigApr 3, 2025
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in PickPlugins Testimonial Slider testimonial allows Object Injection.This issue affects Testimonial Slider: from n/a through <= 2.0.13.

  • CVE-2025-30892HigApr 1, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Object Injection.This issue affects WpTravelly: from n/a through <= 1.8.7.

  • CVE-2025-31074HigApr 1, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in MDJM Mobile DJ Manager mobile-dj-manager allows Object Injection.This issue affects Mobile DJ Manager: from n/a through <= 1.7.5.2.

  • CVE-2025-2332CriMar 27, 2025
    risk 0.57cvss 9.8epss 0.01

    The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for…

  • CVE-2024-9701CriMar 20, 2025
    risk 0.57cvss 9.8epss 0.01

    A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The…

  • CVE-2025-26921HigMar 15, 2025
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.2.6.

  • CVE-2025-26999HigMar 3, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Object Injection.This issue affects ProfileGrid : from n/a through <= 5.9.4.3.

  • CVE-2025-26967HigMar 3, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory events-for-geodirectory allows Object Injection.This issue affects Events Calendar for GeoDirectory: from n/a through <= 2.3.14.

  • CVE-2024-13789CriFeb 20, 2025
    risk 0.57cvss 9.8epss 0.01

    The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain…

  • CVE-2025-24661HigFeb 3, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce ecab-taxi-booking-manager allows Object Injection.This issue affects Taxi Booking Manager for WooCommerce: from n/a through <= 1.1.8.

  • CVE-2025-23944HigJan 22, 2025
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in bulktheme WOOEXIM wooexim allows Object Injection.This issue affects WOOEXIM: from n/a through <= 5.0.0.

  • CVE-2024-55555HigJan 7, 2025
    risk 0.57cvss 8.8epss 0.07

    Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the…

  • CVE-2024-10932HigJan 4, 2025
    risk 0.57cvss 8.8epss 0.01

    The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a…

  • CVE-2024-11501HigDec 7, 2024
    risk 0.57cvss 8.8epss 0.01

    The Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input from wd_gallery_$id parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to…

  • CVE-2024-10587HigDec 4, 2024
    risk 0.57cvss 8.8epss 0.01

    The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.7.5.1 via deserialization of untrusted input. This makes it possible for…