CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 45 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-0726 | Hig | 0.53 | 8.1 | 0.00 | Jan 20, 2026 | The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated… | ||
| CVE-2025-14044 | Hig | 0.53 | 8.1 | 0.00 | Dec 12, 2025 | The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to… | ||
| CVE-2025-58592 | Hig | 0.53 | 8.1 | 0.00 | Nov 6, 2025 | Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.This issue affects TranslatePress: from n/a through <= 2.10.2. | ||
| CVE-2025-46183 | Hig | 0.53 | 8.2 | 0.00 | Oct 24, 2025 | The Utils.deserialize function in pgCodeKeeper 10.12.0 processes serialized data from untrusted sources. If an attacker provides a specially crafted .ser file, deserialization may result in unintended code execution or other malicious behavior on the target system. | ||
| CVE-2025-53584 | Hig | 0.53 | 8.1 | 0.00 | Aug 28, 2025 | Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System wp-ticket allows Object Injection.This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through <= 6.0.2. | ||
| CVE-2025-53583 | Hig | 0.53 | 8.1 | 0.00 | Aug 28, 2025 | Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight employee-spotlight allows Object Injection.This issue affects Employee Spotlight: from n/a through <= 5.1.1. | ||
| CVE-2025-53572 | Hig | 0.53 | 8.1 | 0.00 | Aug 28, 2025 | Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact wp-easy-contact allows Object Injection.This issue affects WP Easy Contact: from n/a through <= 4.0.1. | ||
| CVE-2025-53243 | Hig | 0.53 | 8.1 | 0.00 | Aug 28, 2025 | Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress employee-directory allows Object Injection.This issue affects Employee Directory – Staff Listing & Team Directory Plugin for WordPress:… | ||
| CVE-2024-54678 | Hig | 0.53 | 8.2 | 0.00 | Aug 12, 2025 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18… | ||
| CVE-2025-24919 | Hig | 0.53 | 8.1 | 0.02 | Jun 13, 2025 | A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An… | ||
| CVE-2025-48951 | Cri | 0.53 | — | 0.01 | Jun 3, 2025 | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could… | ||
| CVE-2025-0956 | Hig | 0.53 | 8.1 | 0.01 | Mar 5, 2025 | The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.4.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-56291 | Hig | 0.53 | 8.1 | 0.00 | Jan 7, 2025 | Deserialization of Untrusted Data vulnerability in plainware PlainInventory z-inventory-manager allows Object Injection.This issue affects PlainInventory: from n/a through <= 3.1.6. | ||
| CVE-2024-56283 | Hig | 0.53 | 8.1 | 0.00 | Jan 7, 2025 | Deserialization of Untrusted Data vulnerability in plainware Locatoraid Store Locator locatoraid allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.50. | ||
| CVE-2024-12312 | Hig | 0.53 | 8.1 | 0.01 | Dec 12, 2024 | The Print Science Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.152 via deserialization of untrusted input through the 'designer-saved-projects' cookie. This makes it possible for unauthenticated attackers to inject… | ||
| CVE-2023-23649 | Hig | 0.53 | 8.1 | 0.01 | Mar 28, 2024 | Deserialization of Untrusted Data vulnerability in MainWP MainWP Links Manager Extension.This issue affects MainWP Links Manager Extension: from n/a through 2.1. | ||
| CVE-2024-30230 | Hig | 0.53 | 8.2 | 0.01 | Mar 28, 2024 | Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.This issue affects PDF Invoices and Packing Slips For WooCommerce: from n/a through 1.3.7. | ||
| CVE-2024-2721 | Hig | 0.53 | 8.2 | 0.01 | Mar 20, 2024 | Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0. | ||
| CVE-2024-24796 | Hig | 0.53 | 8.2 | 0.01 | Feb 12, 2024 | Deserialization of Untrusted Data vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin.This issue affects Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin: from n/a… | ||
| CVE-2023-32795 | Hig | 0.53 | 8.2 | 0.01 | Dec 28, 2023 | Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3. |
- risk 0.53cvss 8.1epss 0.00
The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated…
- risk 0.53cvss 8.1epss 0.00
The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to…
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.This issue affects TranslatePress: from n/a through <= 2.10.2.
- risk 0.53cvss 8.2epss 0.00
The Utils.deserialize function in pgCodeKeeper 10.12.0 processes serialized data from untrusted sources. If an attacker provides a specially crafted .ser file, deserialization may result in unintended code execution or other malicious behavior on the target system.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System wp-ticket allows Object Injection.This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through <= 6.0.2.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight employee-spotlight allows Object Injection.This issue affects Employee Spotlight: from n/a through <= 5.1.1.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact wp-easy-contact allows Object Injection.This issue affects WP Easy Contact: from n/a through <= 4.0.1.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress employee-directory allows Object Injection.This issue affects Employee Directory – Staff Listing & Team Directory Plugin for WordPress:…
- risk 0.53cvss 8.2epss 0.00
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18…
- risk 0.53cvss 8.1epss 0.02
A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An…
- risk 0.53cvss —epss 0.01
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could…
- risk 0.53cvss 8.1epss 0.01
The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.4.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to…
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in plainware PlainInventory z-inventory-manager allows Object Injection.This issue affects PlainInventory: from n/a through <= 3.1.6.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in plainware Locatoraid Store Locator locatoraid allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.50.
- risk 0.53cvss 8.1epss 0.01
The Print Science Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.152 via deserialization of untrusted input through the 'designer-saved-projects' cookie. This makes it possible for unauthenticated attackers to inject…
- risk 0.53cvss 8.1epss 0.01
Deserialization of Untrusted Data vulnerability in MainWP MainWP Links Manager Extension.This issue affects MainWP Links Manager Extension: from n/a through 2.1.
- risk 0.53cvss 8.2epss 0.01
Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.This issue affects PDF Invoices and Packing Slips For WooCommerce: from n/a through 1.3.7.
- risk 0.53cvss 8.2epss 0.01
Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0.
- risk 0.53cvss 8.2epss 0.01
Deserialization of Untrusted Data vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin.This issue affects Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin: from n/a…
- risk 0.53cvss 8.2epss 0.01
Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3.