Описание
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the pager parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the pager parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-20207
- https://plugins.trac.wordpress.org/changeset/1737576/flickr-gallery
- https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b52ae51d-7b9a-4047-82bf-723ea87d2375?source=cve
Связанные уязвимости
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.