Skip to main content

Real Testimonials

1 CVEs product

Monthly

CVE-2026-59521 HIGH This Week

PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Real Testimonials
NVD
CVSS 3.1
7.2
EPSS
0.5%
EPSS 1% CVSS 7.2
HIGH This Week

PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Real Testimonials
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy