VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 54 of 87
  • CVE-2026-2471HigFeb 28, 2026
    risk 0.49cvss 7.5epss 0.00

    The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the `BaseModel` class constructor calling `maybe_unserialize()` on…

  • CVE-2025-60080HigDec 18, 2025
    risk 0.49cvss 7.5epss 0.00

    Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.This issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through <= 6.5.0.

  • CVE-2025-8289HigAug 20, 2025
    risk 0.49cvss 7.5epss 0.00

    The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to…

  • CVE-2025-48018HigMay 20, 2025
    risk 0.49cvss 7.5epss 0.00

    An authenticated user can modify application state data.

  • CVE-2024-56068HigDec 31, 2024
    risk 0.49cvss 7.5epss 0.00

    Deserialization of Untrusted Data vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup.This issue affects WP SuperBackup: from n/a through <= 2.3.3.

  • CVE-2024-6960HigJul 21, 2024
    risk 0.49cvss 7.5epss 0.01

    The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An…

  • CVE-2024-4733HigMay 16, 2024
    risk 0.49cvss 7.5epss 0.01

    The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the `hc3_session`-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor…

  • CVE-2024-4838HigMay 16, 2024
    risk 0.49cvss 7.5epss 0.01

    The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated…

  • CVE-2024-1897HigMay 2, 2024
    risk 0.49cvss 7.5epss 0.01

    The Grid Gallery – Photo Image Grid Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization via shortcode of untrusted input from the awl_gg_settings_ meta value. This makes it possible for…

  • CVE-2024-1896HigMay 2, 2024
    risk 0.49cvss 7.5epss 0.01

    The Photo Gallery – Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.2 via deserialization via shortcode of untrusted input from the…

  • CVE-2024-2501HigApr 9, 2024
    risk 0.49cvss 7.5epss 0.01

    The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpsp_maybe_unserialize' function. This makes it possible for…

  • CVE-2024-1951HigMar 13, 2024
    risk 0.49cvss 7.5epss 0.01

    The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. This makes it possible for authenticated attackers,…

  • CVE-2024-1950HigMar 13, 2024
    risk 0.49cvss 7.5epss 0.01

    The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with…

  • CVE-2023-32513HigDec 28, 2023
    risk 0.49cvss 7.5epss 0.01

    Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.3.

  • CVE-2023-49819HigDec 19, 2023
    risk 0.49cvss 7.5epss 0.01

    Deserialization of Untrusted Data vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc.This issue affects Structured Content (JSON-LD) #wpsc: from n/a through 1.5.3.

  • CVE-2023-26464HigMar 10, 2023
    risk 0.49cvss 7.5epss 0.02

    ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging…

  • CVE-2023-21538HigJan 10, 2023
    risk 0.49cvss 7.5epss 0.03

    .NET Denial of Service Vulnerability

  • CVE-2021-32742HigJul 9, 2021
    risk 0.49cvss 7.5epss 0.01

    Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function.…

  • CVE-2020-8164HigJun 19, 2020
    risk 0.49cvss 7.5epss 0.04

    A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

  • CVE-2018-12680HigApr 2, 2019
    risk 0.49cvss 7.5epss 0.01

    The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and…