CVE-2020-36727

Опубликовано: 07 июн. 2023

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.

Ссылки

https://blog.nintechnet.com/insecure-deserialization-vulnerability-in-wordpress-newsletter-manager-plugin-unpatched/
Exploit
https://wpscan.com/vulnerability/b82124b1-e5e1-4f1e-9513-90474fd3f066
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/dcfd8c4d-d48b-468d-a7d5-1ec05b068f79?source=cve
Third Party Advisory
https://blog.nintechnet.com/insecure-deserialization-vulnerability-in-wordpress-newsletter-manager-plugin-unpatched/
Exploit
https://wpscan.com/vulnerability/b82124b1-e5e1-4f1e-9513-90474fd3f066
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/dcfd8c4d-d48b-468d-a7d5-1ec05b068f79?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:xyzscripts:newsletter_manager:*:*:-:*:-:wordpress:*:*

Версия до 1.5.1 (включая)

EPSS

Процентиль: 73%

0.00765

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-502

Связанные уязвимости

GHSA-xj95-mhv8-mh4r