What the vulnerability does
01Description
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
Explanation of Vulnerability in Simple Terms
The Anti-Malware Security and Brute-Force Firewall plugin contains a deserialization flaw that allows authenticated attackers to execute arbitrary PHP code on the site. An attacker with low-level access can craft malicious serialized data that, when processed by the plugin, runs their own code with full site privileges. This affects all versions up to 4.23.87.
What an attacker can do
Run their own PHP code on the site with full administrative privileges.
Potential impact on your site
Any authenticated user can take over the site, steal data, modify content, or install backdoors.
Conditions required to exploit
Attacker must have a low-level user account (subscriber, contributor, or equivalent) on the site.
Key dates
External resources
Related vulnerabilities