CVE-2023-3343 - OpenCVE

The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wpeverest	User Registration

Configuration 1 [-]

cpe:2.3:a:wpeverest:user_registration:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156
https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0
https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-07-13T02:04:14.751Z

Updated: 2024-08-02T06:55:02.627Z

Reserved: 2023-06-20T17:22:00.922Z

Link: CVE-2023-3343

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-07-13T03:15:10.143

Modified: 2023-11-07T04:18:33.710

Link: CVE-2023-3343

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3343", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-06-20T17:22:00.922Z", "datePublished": "2023-07-13T02:04:14.751Z", "dateUpdated": "2024-08-02T06:55:02.627Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-07-13T02:04:14.751Z"}, "affected": [{"vendor": "wpeverest", "product": "User Registration \u2013 Custom Registration Form, Login Form And User Profile For WordPress", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156"}, {"url": "https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lana Codes"}], "timeline": [{"time": "2023-06-19T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2023-06-19T00:00:00.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2023-06-29T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:55:02.627Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpeverest:user_registration:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2D450782-9C36-4694-9C41-503B702D1F56", "versionEndIncluding": "3.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}, {"lang": "es", "value": "El plugin User Registration para WordPress es vulnerable a la inyecci\u00f3n de objetos PHP en versiones hasta la 3.0.1 inclusive a trav\u00e9s de la deserializaci\u00f3n de la entrada no fiable del par\u00e1metro \"profile-pic-url\". Esto permite a atacantes autenticados, con permisos de nivel de suscriptor y superiores, inyectar un objeto PHP. Ninguna cadena POP est\u00e1 presente en el plugin vulnerable. Si una cadena POP est\u00e1 presente a trav\u00e9s de un plugin adicional o tema instalado en el sistema objetivo, podr\u00eda permitir al atacante eliminar archivos arbitrarios, recuperar datos sensibles o ejecutar c\u00f3digo. "}], "id": "CVE-2023-3343", "lastModified": "2023-11-07T04:18:33.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2023-07-13T03:15:10.143", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified"}