CVE-2024-6152 HIGH

CVE-2024-6152: Flipbox Builder <= 1.5 - Authenticated (Contributor+) PHP Object Injection

Vendor Wptexture
Product Flipbox Builder
Weakness CWE-502 · Unsafe deserialization
Published July 27, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Flipbox Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5 via deserialization of untrusted input in the flipbox_builder_Flipbox_ShortCode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Key dates

02Disclosure timeline

July 27, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-3234 Zhong Bang CRMEB PublicController.php put_image deserialization CVE-2023-49777 WordPress YITH WooCommerce Product Add-Ons Plugin <= 4.3.0 is vulnerable to PHP Object Injection CVE-2025-52828 WordPress Red Art theme <= 3.8 - PHP Object Injection Vulnerability CVE-2024-53247 Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app CVE-2025-32658 WordPress HelpGent plugin <= 2.2.5 - PHP Object Injection vulnerability