Unauthenticated Attackers Can Inject PHP Object via Deserialization in WPBeginner's Last Viewed Posts Plugin
CVE-2024-3070

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Last Viewed Posts By WPbeginner
Vendor: CVE Published:; 14 May 2024

Summary

The Last Viewed Posts plugin for WordPress, developed by WPBeginner, is susceptible to a PHP Object Injection vulnerability in all versions up to and including 1.0.0. This vulnerability arises from the deserialization of untrusted data from the LastViewedPosts Cookie, allowing unauthenticated attackers to inject arbitrary PHP objects. There is no known proof-of-concept (POP) chain directly related to this plugin; however, if it coexists with any additional vulnerable plugins or themes on the WordPress installation, it could potentially enable attackers to execute various malicious actions such as deleting arbitrary files, accessing sensitive information, or executing unauthorized code.

Affected Version(s)

Last Viewed Posts by WPBeginner * <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Mar 28, 2024

Credit

Francesco Carlucci