The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
References
Link | Resource |
---|---|
https://www.tenable.com/security/research/tra-2023-7 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: tenable
Published: 2023-02-23T00:00:00
Updated: 2023-02-23T00:00:00
Reserved: 2023-02-22T00:00:00
Link: CVE-2023-26326
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-02-23T20:15:14.243
Modified: 2023-03-03T16:46:29.717
Link: CVE-2023-26326
JSON object: View
Redhat Information
No data.
CWE