Weforms
Monthly
A PHP object injection vulnerability exists in BoldGrid weForms plugin through version 1.6.26 due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary objects and potentially execute remote code or manipulate application state. This affects WordPress installations using the vulnerable weForms plugin versions, and exploitation requires no authentication based on the deserialization attack vector. While no CVSS score or EPSS data is currently available, the CWE-502 classification and object injection capability represent a critical-severity issue typical of deserialization flaws that often lead to remote code execution.
A PHP object injection vulnerability exists in BoldGrid weForms plugin through version 1.6.26 due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary objects and potentially execute remote code or manipulate application state. This affects WordPress installations using the vulnerable weForms plugin versions, and exploitation requires no authentication based on the deserialization attack vector. While no CVSS score or EPSS data is currently available, the CWE-502 classification and object injection capability represent a critical-severity issue typical of deserialization flaws that often lead to remote code execution.