Vulnerability in Flipbox Builder plugin allows PHP Object Injection
CVE-2024-6152

8.8HIGH

Key Information:

Vendor: Wordpress
Vendor: CVE Published:; 27 July 2024

What is CVE-2024-6152?

The Flipbox Builder plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input in its flipbox_builder_Flipbox_ShortCode function. This vulnerability affects all versions up to and including 1.5, enabling authenticated individuals with Contributor-level access and higher to inject arbitrary PHP Objects into the application. While no known Payload Object Chains (POPs) exist within the vulnerable code, the presence of such a chain from an additional plugin or theme may empower attackers to delete files, access sensitive information, or execute arbitrary code. Vigilant monitoring and timely updates are crucial to mitigate potential risks associated with this vulnerability.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/flipbox-builde...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2024

Wordpress

What is CVE-2024-6152?

References

CVSS V3.1

Timeline