Real Testimonials
Monthly
PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.
PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.