wpDataTables < 2.1.66 - Admin+ PHP Object Injection
CVE-2023-4314
Key Information:
- Vendor
Wordpress
- Status
- Vendor
- CVE Published:
- 11 September 2023
Badges
What is CVE-2023-4314?
The wpDataTables plugin for WordPress versions prior to 2.1.66 has a deserialization vulnerability that arises from improper validation of input data, specifically when handling serialized PHP arrays. This flaw enables administrative users to deserialize arbitrary data, potentially leading to remote code execution if a suitable gadget chain exists on the server. The risk is particularly acute in environments such as multisite setups, where admin rights should be restricted to prevent unauthorized code execution.
Affected Version(s)
wpDataTables 0 < 2.1.66
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved