What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.
Explanation of Vulnerability in Simple Terms
The Constant Contact for WordPress plugin through version 4.1.1 deserializes untrusted data without validation, allowing an attacker to execute arbitrary PHP code on the site. An attacker must trick a site user into clicking a malicious link or visiting a compromised page. This affects all data confidentiality, integrity, and availability on the WordPress installation.
What an attacker can do
Run arbitrary PHP code on the site and take full control of the WordPress installation.
Potential impact on your site
Complete compromise of the WordPress site, including access to all user data, ability to modify content, and potential malware installation.
Conditions required to exploit
Network access and user interaction required; victim must click a link or visit a page controlled by the attacker.
Key dates
External resources
Related vulnerabilities