Thrive Apprentice
Monthly
Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.