Deserialization
Monthly
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Nintex Automation 5.6 and 5.7 versions up to 5.8 is affected by deserialization of untrusted data (CVSS 8.5).
PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.
A vulnerability was discovered in the Arctera InfoScale 7.0 through 8.0.2 where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Gallery by BestWebSoft - Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in LinZhaoguan pb-cms 1.0.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Deserialization of Untrusted Data vulnerability in Metagauss ProfileGrid allows Object Injection.9.4.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection.3.14. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection.5.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Album Gallery - WordPress Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.3 via deserialization of untrusted input from gallery meta. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PixelYourSite - Your smart PIXEL (TAG) and API Manager 10.1.1.1 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input in the 'product_has_custom_tabs'. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability classified as problematic was found in b1gMail up to 7.4.1-pl1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection.14.27. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Nazmul Hasan Robin NHR Options Table Manager allows Object Injection.1.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in giuliopanda ADFO allows Object Injection.9.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.94.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability, which was classified as problematic, has been found in westboy CicadasCMS 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 57.6%.
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2.4 via deserialization of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in dayrui XunRuiCMS 4.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.
A vulnerability was found in taisan tarzan-cms up to 1.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Trimble Cityworks asset management platform contains a deserialization vulnerability allowing authenticated users to achieve remote code execution on the IIS web server hosting the application.
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection.1.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.
The iControlWP - Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
A vulnerability has been found in Aridius XYZ up to 20240927 on OpenCart and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
NVIDIA RAPIDS contains a vulnerability in cuDF and cuML, where a user could cause a deserialization of untrusted data issue. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
vLLM is a library for LLM inference and serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Deserialization of Untrusted Data vulnerability in Pdfcrowd Save as PDF plugin by Pdfcrowd allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThimPress FundPress allows Object Injection.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SonicWall SMA1000 AMC and CMC contain a pre-authentication deserialization vulnerability allowing unauthenticated remote attackers to execute arbitrary OS commands on the management appliance.
Deserialization of Untrusted Data vulnerability in NotFound Muzaara Google Ads Report allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 18.2% and no vendor patch available.
Deserialization of Untrusted Data vulnerability in WOOEXIM.COM WOOEXIM allows Object Injection.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 16.5%.
The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft Excel Security Feature Bypass Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
A vulnerability was found in AquilaCMS 1.412.13. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 26.5% and no vendor patch available.
Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.19.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 27.5%.
The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.X-* before 7.X-1.15. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.0.0 before 4.0.1. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.X-* before 7.X-3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.0.0 before 9.3.4, from 9.4.0 before 9.4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Konrad Karpieszuk WC Price History for Omnibus allows Object Injection.1.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.8% and no vendor patch available.
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 39.4% and no vendor patch available.
Crater Invoice application allows unauthenticated remote command execution through Laravel session cookie deserialization when the APP_KEY is known. Attackers who obtain the application key can forge session cookies containing serialized PHP objects that execute arbitrary commands on the server.
Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.1.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.9.50. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Nintex Automation 5.6 and 5.7 versions up to 5.8 is affected by deserialization of untrusted data (CVSS 8.5).
PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.
A vulnerability was discovered in the Arctera InfoScale 7.0 through 8.0.2 where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Gallery by BestWebSoft - Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in LinZhaoguan pb-cms 1.0.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Deserialization of Untrusted Data vulnerability in Metagauss ProfileGrid allows Object Injection.9.4.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection.3.14. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection.5.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Album Gallery - WordPress Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.3 via deserialization of untrusted input from gallery meta. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PixelYourSite - Your smart PIXEL (TAG) and API Manager 10.1.1.1 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input in the 'product_has_custom_tabs'. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability classified as problematic was found in b1gMail up to 7.4.1-pl1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection.14.27. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Nazmul Hasan Robin NHR Options Table Manager allows Object Injection.1.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in giuliopanda ADFO allows Object Injection.9.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.94.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability, which was classified as problematic, has been found in westboy CicadasCMS 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 57.6%.
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2.4 via deserialization of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in dayrui XunRuiCMS 4.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.
A vulnerability was found in taisan tarzan-cms up to 1.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Trimble Cityworks asset management platform contains a deserialization vulnerability allowing authenticated users to achieve remote code execution on the IIS web server hosting the application.
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection.1.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.
The iControlWP - Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
A vulnerability has been found in Aridius XYZ up to 20240927 on OpenCart and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
NVIDIA RAPIDS contains a vulnerability in cuDF and cuML, where a user could cause a deserialization of untrusted data issue. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
vLLM is a library for LLM inference and serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Deserialization of Untrusted Data vulnerability in Pdfcrowd Save as PDF plugin by Pdfcrowd allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThimPress FundPress allows Object Injection.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SonicWall SMA1000 AMC and CMC contain a pre-authentication deserialization vulnerability allowing unauthenticated remote attackers to execute arbitrary OS commands on the management appliance.
Deserialization of Untrusted Data vulnerability in NotFound Muzaara Google Ads Report allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 18.2% and no vendor patch available.
Deserialization of Untrusted Data vulnerability in WOOEXIM.COM WOOEXIM allows Object Injection.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 16.5%.
The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft Excel Security Feature Bypass Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
A vulnerability was found in AquilaCMS 1.412.13. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 26.5% and no vendor patch available.
Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.19.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 27.5%.
The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.X-* before 7.X-1.15. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.0.0 before 4.0.1. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.X-* before 7.X-3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.0.0 before 9.3.4, from 9.4.0 before 9.4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Konrad Karpieszuk WC Price History for Omnibus allows Object Injection.1.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.8% and no vendor patch available.
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 39.4% and no vendor patch available.
Crater Invoice application allows unauthenticated remote command execution through Laravel session cookie deserialization when the APP_KEY is known. Attackers who obtain the application key can forge session cookies containing serialized PHP objects that execute arbitrary commands on the server.
Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.1.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.9.50. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.