Vulnerability in Hubbub Social Sharing Buttons Plugin Allows PHP Object Injection
CVE-2024-2501

7.5HIGH

Key Information:

Vendor
Wordpress
Status
Hubbub Lite – Fast, Reliable Social Sharing Buttons
Vendor
CVE Published:
9 April 2024

Summary

The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress contains a vulnerability that permits PHP Object Injection due to improper handling of untrusted input via the 'dpsp_maybe_unserialize' function. Authenticated attackers with contributor access or higher can exploit this vulnerability to inject PHP Objects. Although the plugin does not contain a native PHP Object Injection Chain (POP), the presence of additional plugins or themes with exploitable chains poses a risk. Successful exploitation could lead to the deletion of arbitrary files, unauthorized retrieval of sensitive information, or remote code execution.

Affected Version(s)

Hubbub Lite – Fast, Reliable Social Sharing Buttons * <= 1.33.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/social-pug/tru...
https://plugins.trac.wordpress.org/browser/social-pug/tru...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
.