CVE-2020-36727
🔴 Łataj teraz
Niebezpieczna deserializacja w wtyczce Newsletter Manager dla WordPressa umożliwia atakującym wstrzyknięcie obiektu PHP.
CVSS
9.8
EPSS
1.1%
Exploit
poc
Vendor
xyzscripts
Opis źródłowy (NVD)
The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.
deserialization exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 1.1% |
| Opublikowano (NVD) | 2023-06-07 02:15:12 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 19:17:36 UTC |
Referencje
- https://blog.nintechnet.com/insecure-deserialization-vulnerability-in-wordpress-newsletter-manager-plugin-unpatched/ (security@wordfence.com) [Exploit]
- https://wpscan.com/vulnerability/b82124b1-e5e1-4f1e-9513-90474fd3f066 (security@wordfence.com) [Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dcfd8c4d-d48b-468d-a7d5-1ec05b068f79?source=cve (security@wordfence.com) [Third Party Advisory]