ShiftController Employee Shift Scheduling Plugin Vulnerable to PHP Object Injection via Deserialization
CVE-2024-4733

7.5HIGH

Key Information:

Vendor: Plainware
Status: Shiftcontroller Employee Shift Scheduling
Vendor: CVE Published:; 16 May 2024

Summary

The Employee Shift Scheduling plugin by ShiftController exhibits a notable vulnerability that allows PHP Object Injection through the deserialization of untrusted data, specifically via the hc3_session cookie. This vulnerability affects versions of the plugin up to and including 4.9.57, enabling an authenticated user with contributor access-level or higher to inject a malicious PHP object. The absence of a PHP Object Pattern (POP) chain in the vulnerable plugin means that its exploitation primarily relies on the presence of additional plugins or themes that may allow file deletion, data retrieval, or arbitrary code execution. This issue underscores the importance of maintaining updated software and carefully monitoring installed plugins for security flaws.

Affected Version(s)

ShiftController Employee Shift Scheduling * <= 4.9.57

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
May 10, 2024

Collectors

NVD DatabaseMitre Database

Credit

Peter Thaleikis