CVE-2023-47130 HIGH

CVE-2023-47130: Unsafe deserialization of user data in yiisoft/yii

Vendor Yiisoft

Product yii

Weakness CWE-502 · Unsafe deserialization

Published November 14, 2023

Last update August 14, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

November 14, 2023 CVE published

August 14, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-47130 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2026-22333 WordPress YITH WooCommerce Compare plugin <= 3.6.0 - Deserialization of untrusted data vulnerability CVE-2024-23513 WordPress PropertyHive Plugin <= 2.0.5 is vulnerable to PHP Object Injection CVE-2025-11993 WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection CVE-2025-7696 Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function CVE-2025-9188 Deserialization of Untrusted Data when parsing a DSB file with Digilent DASYLab