What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in bestweblayout Rating by BestWebSoft rating-bws allows Object Injection.This issue affects Rating by BestWebSoft: from n/a through <= 1.7.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in bestweblayout Rating by BestWebSoft rating-bws allows Object Injection.This issue affects Rating by BestWebSoft: from n/a through <= 1.7.
Explanation of Vulnerability in Simple Terms
The Rating by BestWebSoft plugin for WordPress contains a deserialization vulnerability in versions 1.7 and earlier. An authenticated attacker with low privileges can send a specially crafted request to deserialize untrusted data, leading to remote code execution. This allows the attacker to run their own PHP code on the site with full control over data and functionality.
What an attacker can do
Run their own code on the site, read/modify any data, and take full control of the WordPress installation.
Potential impact on your site
Any user with a low-privilege account can compromise the entire site. Immediate patching and account audit required.
Conditions required to exploit
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).
Key dates
External resources