What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through <= 3.1.15.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through <= 3.1.15.
Explanation of Vulnerability in Simple Terms
Real Testimonials versions 3.1.15 and earlier contain a deserialization vulnerability in how they process untrusted data. An authenticated administrator can craft malicious serialized input to execute arbitrary PHP code on the site. This requires high-level admin access and affects confidentiality, integrity, and availability of the installation.
What an attacker can do
Run arbitrary PHP code on the site with full site privileges.
Potential impact on your site
A compromised admin account can fully compromise your site, steal data, modify content, or install backdoors.
Conditions required to exploit
Attacker must have administrator-level access to the WordPress site.
Key dates
External resources
Related vulnerabilities