What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in ConveyThis ConveyThis conveythis-translate allows Object Injection.This issue affects ConveyThis: from n/a through <= 269.1.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in ConveyThis ConveyThis conveythis-translate allows Object Injection.This issue affects ConveyThis: from n/a through <= 269.1.
Explanation of Vulnerability in Simple Terms
ConveyThis versions up to 269.1 contain a deserialization vulnerability that allows authenticated administrators to execute arbitrary code on the site. An attacker with high-level admin access can craft malicious serialized data that, when processed by the plugin, runs their own PHP code. This requires admin-level privileges and direct access to the vulnerable code path.
What an attacker can do
Run arbitrary PHP code on the site with full server privileges.
Potential impact on your site
A compromised admin account can fully compromise the site, steal data, or modify content.
Conditions required to exploit
Attacker must have high-level administrator access to the site.
Key dates
External resources