Unauthenticated PHP Object Injection Vulnerability in Print Science Designer Plugin
CVE-2024-12312

8.1HIGH

Key Information:

Vendor
Wordpress
Status
Print Science Designer
Vendor
CVE Published:
12 December 2024

Summary

The Print Science Designer plugin for WordPress is affected by a PHP Object Injection vulnerability across all versions up to and including 1.3.152. This vulnerability arises from the deserialization of untrusted input through the 'designer-saved-projects' cookie, allowing unauthenticated attackers to exploit the flaw. Although no known PHP Object Pattern (POP) chain exists within the vulnerable software, the presence of an additional plugin or theme that facilitates such a chain could grant attackers the ability to delete arbitrary files, access sensitive information, or execute malicious code.

Affected Version(s)

Print Science Designer * <= 1.3.152

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/print-science-...
https://plugins.trac.wordpress.org/browser/print-science-...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Brian Sans-Souci
.