What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12.
Explanation of Vulnerability in Simple Terms
WP Tabs versions 2.2.12 and earlier contain a deserialization vulnerability that allows authenticated administrators to execute arbitrary PHP code on the site. An attacker with admin access can craft malicious serialized data that, when processed by the plugin, runs their own code with full site privileges. This requires high-level access but poses a critical risk if admin accounts are compromised.
What an attacker can do
Run arbitrary PHP code on the site with full administrative privileges.
Potential impact on your site
A compromised admin account can lead to complete site takeover, data theft, malware injection, or site destruction.
Conditions required to exploit
Attacker must have WordPress administrator account access; no user interaction required.
Key dates
External resources
Related vulnerabilities