Friends
Monthly
The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.
The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.