CVE-2020-36718
🔴 Łataj teraz
Wstrzyknięcie obiektu PHP w wtyczce GDPR CCPA Compliance Support umożliwia atakującym zdalne wykonanie kodu.
CVSS
9.8
EPSS
1.8%
Exploit
poc
Vendor
ninjateam
Opis źródłowy (NVD)
The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input "njt_gdpr_allow_permissions" value. This allows unauthenticated attackers to inject a PHP Object.
deserialization exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 1.8% |
| Opublikowano (NVD) | 2023-06-07 02:15:12 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 19:17:34 UTC |
Referencje
- https://blog.nintechnet.com/gdpr-ccpa-compliance-support-plugin-fixed-insecure-deserialization-vulnerability/ (security@wordfence.com) [Exploit]
- https://plugins.trac.wordpress.org/changeset/2408938 (security@wordfence.com) [Patch]
- https://plugins.trac.wordpress.org/changeset/2411356/ninja-gdpr-compliance (security@wordfence.com) [Patch]
- https://wordpress.org/plugins/ninja-gdpr-compliance/#developers (security@wordfence.com) [Product]
- https://wpscan.com/vulnerability/92f1d6fb-c665-419e-a13b-688b1df6c395 (security@wordfence.com) [Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2871261-3231-4a52-9a38-bb3caf461e7d?source=cve (security@wordfence.com) [Third Party Advisory]