What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Object Injection.This issue affects WP-CRM System: from n/a through <= 3.4.5.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Object Injection.This issue affects WP-CRM System: from n/a through <= 3.4.5.
Explanation of Vulnerability in Simple Terms
WP-CRM System versions 3.4.5 and earlier contain a deserialization vulnerability in how they process untrusted data. An authenticated administrator can craft malicious serialized objects that execute arbitrary PHP code when deserialized. This requires high-level site access but can lead to complete site compromise.
What an attacker can do
Run arbitrary PHP code on the site with full privileges.
Potential impact on your site
A compromised admin account can take over your entire site, steal data, or inject malware.
Conditions required to exploit
Attacker must have administrator-level access to the WordPress site.
Key dates
External resources