CVE-2023-3343 - OpenCVE

The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Wpeverest	User Registration

Configuration 1 [-]

cpe:2.3:a:wpeverest:user_registration:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156	Patch
https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-07-13T02:04:14.751Z

Updated: 2023-07-13T02:04:14.751Z

Reserved: 2023-06-20T17:22:00.922Z

Link: CVE-2023-3343

JSON object: View

NVD Information

Status : Modified

Published: 2023-07-13T03:15:10.143

Modified: 2023-11-07T04:18:33.710

Link: CVE-2023-3343

JSON object: View

Redhat Information

No data.

CWE

No CWE.

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3343", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-06-20T17:22:00.922Z", "datePublished": "2023-07-13T02:04:14.751Z", "dateUpdated": "2023-07-13T02:04:14.751Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-07-13T02:04:14.751Z"}, "affected": [{"vendor": "wpeverest", "product": "User Registration \u2013 Custom Registration Form, Login Form And User Profile For WordPress", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156"}, {"url": "https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lana Codes"}], "timeline": [{"time": "2023-06-19T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2023-06-19T00:00:00.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2023-06-29T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpeverest:user_registration:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2D450782-9C36-4694-9C41-503B702D1F56", "versionEndIncluding": "3.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}, {"lang": "es", "value": "El plugin User Registration para WordPress es vulnerable a la inyecci\u00f3n de objetos PHP en versiones hasta la 3.0.1 inclusive a trav\u00e9s de la deserializaci\u00f3n de la entrada no fiable del par\u00e1metro \"profile-pic-url\". Esto permite a atacantes autenticados, con permisos de nivel de suscriptor y superiores, inyectar un objeto PHP. Ninguna cadena POP est\u00e1 presente en el plugin vulnerable. Si una cadena POP est\u00e1 presente a trav\u00e9s de un plugin adicional o tema instalado en el sistema objetivo, podr\u00eda permitir al atacante eliminar archivos arbitrarios, recuperar datos sensibles o ejecutar c\u00f3digo. "}], "id": "CVE-2023-3343", "lastModified": "2023-11-07T04:18:33.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2023-07-13T03:15:10.143", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified"}