VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 35 of 87
  • CVE-2024-9511CriNov 23, 2024
    risk 0.57cvss 9.8epss 0.01

    The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in the 'formatResult'…

  • CVE-2024-10913HigNov 20, 2024
    risk 0.57cvss 8.8epss 0.01

    The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object.…

  • CVE-2024-52445HigNov 20, 2024
    risk 0.57cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows Object Injection.This issue affects QRMenu Restaurant QR Menu Lite: from n/a through <= 1.0.4.

  • CVE-2024-50416HigOct 28, 2024
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce wpc-shop-as-customer allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through <= 1.2.6.

  • CVE-2024-50408HigOct 28, 2024
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Bob Namaste! LMS namaste-lms allows Object Injection.This issue affects Namaste! LMS: from n/a through <= 2.6.3.

  • CVE-2024-49226HigOct 16, 2024
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in taketin TAKETIN To WP Membership taketin-to-wp-membership allows Object Injection.This issue affects TAKETIN To WP Membership: from n/a through <= 2.8.17.

  • CVE-2024-8885HigOct 2, 2024
    risk 0.57cvss 8.8epss 0.00

    A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.

  • CVE-2024-7434HigOct 1, 2024
    risk 0.57cvss 8.8epss 0.01

    The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No…

  • CVE-2024-7561HigAug 8, 2024
    risk 0.57cvss 8.8epss 0.01

    The The Next theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the wpeden_post_meta post meta value. This makes it possible for authenticated attackers, with Contributor-level access…

  • CVE-2024-7486HigAug 8, 2024
    risk 0.57cvss 8.8epss 0.01

    The MultiPurpose theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.0 via deserialization of untrusted input through the 'wpeden_post_meta' post meta. This makes it possible for authenticated attackers, with Contributor-level…

  • CVE-2024-6152HigJul 27, 2024
    risk 0.57cvss 8.8epss 0.01

    The Flipbox Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5 via deserialization of untrusted input in the flipbox_builder_Flipbox_ShortCode function. This makes it possible for authenticated attackers, with…

  • CVE-2024-40624CriJul 15, 2024
    risk 0.57cvss 9.8epss 0.01

    TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain…

  • CVE-2024-39705CriJun 27, 2024
    risk 0.57cvss 9.8epss 0.01

    NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

  • CVE-2024-5724HigJun 19, 2024
    risk 0.57cvss 8.8epss 0.01

    The Photo Video Gallery Master plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.3 via deserialization of untrusted input 'PVGM_all_photos_details' parameter. This makes it possible for authenticated attackers, with…

  • CVE-2024-3954HigMay 14, 2024
    risk 0.57cvss 8.8epss 0.01

    The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object.…

  • CVE-2024-3240HigMay 4, 2024
    risk 0.57cvss 8.8epss 0.01

    The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_info_bar' shortcode. This makes it possible for authenticated…

  • CVE-2024-31277HigApr 7, 2024
    risk 0.57cvss 8.7epss 0.00

    Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32.

  • CVE-2024-2008HigApr 4, 2024
    risk 0.57cvss 8.8epss 0.01

    The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of untrusted input in the awl_modal_popup_box_shortcode function. This makes it…

  • CVE-2024-1872HigMar 29, 2024
    risk 0.57cvss 8.8epss 0.01

    The Button plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.27 via deserialization of untrusted input in the button_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and…

  • CVE-2024-24842HigMar 27, 2024
    risk 0.57cvss 8.7epss 0.00

    Deserialization of Untrusted Data vulnerability in Echo Plugins Knowledge Base for Documentation, FAQs with AI Assistance.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through 11.30.2.