CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4797 vulnerabilities reference this CWE, most recent first.
GHSA-2FJ3-QVR8-Q2C6
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 18:31Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0.
{
"affected": [],
"aliases": [
"CVE-2026-25400"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:16:49Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through \u003c= 24.1.0.",
"id": "GHSA-2fj3-qvr8-q2c6",
"modified": "2026-03-26T18:31:34Z",
"published": "2026-03-25T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25400"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/apicona/vulnerability/wordpress-apicona-theme-24-1-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2FMJ-C726-JMV7
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.
{
"affected": [],
"aliases": [
"CVE-2026-7871"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T20:17:31Z",
"severity": "CRITICAL"
},
"details": "IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.",
"id": "GHSA-2fmj-c726-jmv7",
"modified": "2026-06-30T21:31:44Z",
"published": "2026-06-30T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7871"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7278443"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2FMJ-P74R-3WJM
Vulnerability from github – Published: 2026-06-26 22:10 – Updated: 2026-06-26 22:10Summary
pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist:
if (0 === \strpos($filename, 'phar://')) {
throw new \InvalidArgumentException('The output file cannot be a phar archive.');
}
PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc. bypass the check and reach fileExists() (file_exists()) in prepareOutput(). On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115.
The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj).
Affected versions
pontedilana/php-weasyprint versions <= 2.5.1 (the case-sensitive guard was introduced in commit eb8accc, "Implement countermeasures for CVE-2023-28115").
Patched in: 2.6.0.
Privilege required
A caller able to control the output filename passed to generate() / generateFromHtml(), plus the ability to place a PHAR archive on the filesystem (e.g. via an upload). Exploitation of the deserialization requires the server to run PHP < 8.
Vulnerable code
src/AbstractGenerator.php, prepareOutput():
if (0 === \strpos($filename, 'phar://')) {
throw new \InvalidArgumentException('The output file cannot be a phar archive.');
}
strpos($filename, 'phar://') matches only the exact lowercase string, while the wrapper resolution is case-insensitive — PHAR://payload.phar is not caught.
Proof of concept
# Craft a PHAR with a fast-destruct gadget chain
phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar
<?php
use Pontedilana\PhpWeasyPrint\Pdf;
$pdf = new Pdf('/usr/local/bin/weasyprint');
// Case-altered wrapper bypasses the lowercase 'phar://' blacklist
$pdf->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar');
// On PHP < 8, the PHAR metadata is deserialized -> /tmp/exploit is created
Impact
- Remote code execution and filesystem access through PHAR metadata deserialization on PHP < 8, when the output filename is attacker-influenced and a PHAR can be planted.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1, High) — Critical in deployments running PHP 7 with an upload surface; adjust to your environment.
CWE-502 (Deserialization of Untrusted Data).
Suggested fix
Replace the case-sensitive blacklist with a scheme allow-list (file / no scheme), comparing the lowercased scheme parsed from the filename:
protected const ALLOWED_PROTOCOLS = ['file'];
protected function isProtocolAllowed(string $filename): bool
{
if (false === $parsed = \parse_url($filename)) {
throw new \InvalidArgumentException('The filename is not valid.');
}
$protocol = isset($parsed['scheme']) ? \strtolower($parsed['scheme']) : 'file';
// ...special-case Windows drive letters (C:\...) as 'file'...
return \in_array($protocol, self::ALLOWED_PROTOCOLS, true);
}
prepareOutput() then rejects any non-file scheme (phar, PHAR, php, http, ...) before file_exists() is reached.
Credit
Original vulnerability and patch-bypass reported upstream to KnpLabs/snappy by Rémi Matasse of Synacktiv (GHSA-92rv-4j2h-8mjj); identified as applicable to pontedilana/php-weasyprint, which mirrors the same code.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5.1"
},
"package": {
"ecosystem": "Packagist",
"name": "pontedilana/php-weasyprint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49286"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T22:10:00Z",
"nvd_published_at": "2026-06-19T18:16:19Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist:\n\n```php\nif (0 === \\strpos($filename, \u0027phar://\u0027)) {\n throw new \\InvalidArgumentException(\u0027The output file cannot be a phar archive.\u0027);\n}\n```\n\nPHP stream wrappers are **case-insensitive**, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports \u2014 PHP 7.4+), this triggers deserialization of a crafted PHAR archive\u0027s metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115.\n\nThe same issue and fix were handled upstream in KnpLabs/snappy ([GHSA-92rv-4j2h-8mjj](https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj)).\n\n### Affected versions\n\n`pontedilana/php-weasyprint` versions `\u003c= 2.5.1` (the case-sensitive guard was introduced in commit `eb8accc`, \"Implement countermeasures for CVE-2023-28115\").\n\nPatched in: `2.6.0`.\n\n### Privilege required\n\nA caller able to control the output filename passed to `generate()` / `generateFromHtml()`, plus the ability to place a PHAR archive on the filesystem (e.g. via an upload). Exploitation of the deserialization requires the server to run PHP \u003c 8.\n\n### Vulnerable code\n\n`src/AbstractGenerator.php`, `prepareOutput()`:\n\n```php\nif (0 === \\strpos($filename, \u0027phar://\u0027)) {\n throw new \\InvalidArgumentException(\u0027The output file cannot be a phar archive.\u0027);\n}\n```\n\n`strpos($filename, \u0027phar://\u0027)` matches only the exact lowercase string, while the wrapper resolution is case-insensitive \u2014 `PHAR://payload.phar` is not caught.\n\n### Proof of concept\n\n```bash\n# Craft a PHAR with a fast-destruct gadget chain\nphpggc -f Monolog/RCE1 exec \u0027touch /tmp/exploit\u0027 -p phar -o exploit.phar\n```\n\n```php\n\u003c?php\nuse Pontedilana\\PhpWeasyPrint\\Pdf;\n\n$pdf = new Pdf(\u0027/usr/local/bin/weasyprint\u0027);\n// Case-altered wrapper bypasses the lowercase \u0027phar://\u0027 blacklist\n$pdf-\u003egenerateFromHtml(\u0027\u003ch1\u003ePOC\u003c/h1\u003e\u0027, \u0027PHAR://exploit.phar\u0027);\n// On PHP \u003c 8, the PHAR metadata is deserialized -\u003e /tmp/exploit is created\n```\n\n### Impact\n\n- Remote code execution and filesystem access through PHAR metadata deserialization on PHP \u003c 8, when the output filename is attacker-influenced and a PHAR can be planted.\n\nCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1, High) \u2014 Critical in deployments running PHP 7 with an upload surface; adjust to your environment.\n\nCWE-502 (Deserialization of Untrusted Data).\n\n### Suggested fix\n\nReplace the case-sensitive blacklist with a scheme allow-list (`file` / no scheme), comparing the lowercased scheme parsed from the filename:\n\n```php\nprotected const ALLOWED_PROTOCOLS = [\u0027file\u0027];\n\nprotected function isProtocolAllowed(string $filename): bool\n{\n if (false === $parsed = \\parse_url($filename)) {\n throw new \\InvalidArgumentException(\u0027The filename is not valid.\u0027);\n }\n $protocol = isset($parsed[\u0027scheme\u0027]) ? \\strtolower($parsed[\u0027scheme\u0027]) : \u0027file\u0027;\n // ...special-case Windows drive letters (C:\\...) as \u0027file\u0027...\n return \\in_array($protocol, self::ALLOWED_PROTOCOLS, true);\n}\n```\n\n`prepareOutput()` then rejects any non-`file` scheme (`phar`, `PHAR`, `php`, `http`, ...) before `file_exists()` is reached.\n\n### Credit\n\nOriginal vulnerability and patch-bypass reported upstream to KnpLabs/snappy by R\u00e9mi Matasse of Synacktiv ([GHSA-92rv-4j2h-8mjj](https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj)); identified as applicable to `pontedilana/php-weasyprint`, which mirrors the same code.",
"id": "GHSA-2fmj-p74r-3wjm",
"modified": "2026-06-26T22:10:00Z",
"published": "2026-06-26T22:10:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"type": "WEB",
"url": "https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-2fmj-p74r-3wjm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49286"
},
{
"type": "WEB",
"url": "https://github.com/pontedilana/php-weasyprint/commit/d1aa487722b5a3cab9b222b85fdb5608a5a550c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/pontedilana/php-weasyprint"
},
{
"type": "WEB",
"url": "https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)"
}
GHSA-2G4W-JFV5-FGMR
Vulnerability from github – Published: 2025-12-18 09:30 – Updated: 2026-01-20 15:32Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.
{
"affected": [],
"aliases": [
"CVE-2025-60089"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T08:16:09Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through \u003c= 1.3.5.",
"id": "GHSA-2g4w-jfv5-fgmr",
"modified": "2026-01-20T15:32:30Z",
"published": "2025-12-18T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60089"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2G6J-8HM3-67HP
Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-01 18:35Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection. This issue affects Grand Tour | Travel Agency WordPress: from n/a through 5.5.1.
{
"affected": [],
"aliases": [
"CVE-2025-39485"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T13:15:30Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection. This issue affects Grand Tour | Travel Agency WordPress: from n/a through 5.5.1.",
"id": "GHSA-2g6j-8hm3-67hp",
"modified": "2026-04-01T18:35:14Z",
"published": "2025-05-23T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39485"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/grandtour/vulnerability/wordpress-grandtour-theme-5-5-1-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2GF3-M6C4-6GX9
Vulnerability from github – Published: 2025-01-30 15:31 – Updated: 2026-04-08 18:33The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
{
"affected": [],
"aliases": [
"CVE-2024-13742"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-30T14:15:36Z",
"severity": "CRITICAL"
},
"details": "The iControlWP \u2013 Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.",
"id": "GHSA-2gf3-m6c4-6gx9",
"modified": "2026-04-08T18:33:48Z",
"published": "2025-01-30T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13742"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/worpit-admin-dashboard-plugin/tags/4.4.5/lib/src/LegacyApi/RequestParameters.php#L42"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/worpit-admin-dashboard-plugin/tags/4.4.5/src/api/RequestParameters.php#L14"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3231425%40worpit-admin-dashboard-plugin\u0026new=3231425%40worpit-admin-dashboard-plugin\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f25b0cc-60ec-49a0-8356-fd3fba97e987?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2GHQ-FX5M-357P
Vulnerability from github – Published: 2025-03-03 15:31 – Updated: 2025-09-02 21:30Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1
{
"affected": [],
"aliases": [
"CVE-2024-47092"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-03T14:15:33Z",
"severity": "HIGH"
},
"details": "Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1",
"id": "GHSA-2ghq-fx5m-357p",
"modified": "2025-09-02T21:30:56Z",
"published": "2025-03-03T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47092"
},
{
"type": "WEB",
"url": "https://github.com/HeinleinSupport/check_mk_extensions/commit/b5a2a7529e3367d7a643e66f05da4f2a27013904"
},
{
"type": "WEB",
"url": "https://exchange.checkmk.com/p/check-mk-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2GMP-34J9-FQJM
Vulnerability from github – Published: 2026-04-01 18:36 – Updated: 2026-04-03 23:15An unauthenticated Remote Code Execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "replicator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2265"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T23:15:20Z",
"nvd_published_at": "2026-04-01T17:28:38Z",
"severity": "MODERATE"
},
"details": "An unauthenticated Remote Code Execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.",
"id": "GHSA-2gmp-34j9-fqjm",
"modified": "2026-04-03T23:15:20Z",
"published": "2026-04-01T18:36:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2265"
},
{
"type": "WEB",
"url": "https://github.com/inikulin/replicator/pull/19"
},
{
"type": "PACKAGE",
"url": "https://github.com/inikulin/replicator"
},
{
"type": "WEB",
"url": "https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Replicator deserializes untrusted user input"
}
GHSA-2GMP-8PR5-3JC6
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.
{
"affected": [],
"aliases": [
"CVE-2021-37544"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-06T14:15:00Z",
"severity": "CRITICAL"
},
"details": "In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.",
"id": "GHSA-2gmp-8pr5-3jc6",
"modified": "2022-05-24T19:10:18Z",
"published": "2022-05-24T19:10:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37544"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2GXW-G2PJ-PX2Q
Vulnerability from github – Published: 2025-01-07 06:32 – Updated: 2026-04-08 18:33The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
{
"affected": [],
"aliases": [
"CVE-2024-11465"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T05:15:13Z",
"severity": "HIGH"
},
"details": "The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the \u0027yikes_woo_products_tabs\u0027 post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
"id": "GHSA-2gxw-g2pj-px2q",
"modified": "2026-04-08T18:33:47Z",
"published": "2025-01-07T06:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11465"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/admin/class.yikes-woo-generate-html.php#L19"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/admin/class.yikes-woo-saved-tabs.php#L222"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/admin/class.yikes-woo-saved-tabs.php#L449"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/public/class.yikes-woo-tabs-display.php#L47"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/yikes-inc-easy-custom-woocommerce-product-tabs.php#L262"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3271575"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ad0d6eb-aafa-4f0b-bf1c-73d94e361087?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.