The MultiPurpose theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.0 via deserialization of untrusted input through the 'wpeden_post_meta' post meta. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Metrics
Affected Vendors & Products
References
History
Thu, 08 Aug 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Buywptemplates
Buywptemplates multipurpose |
|
CPEs | cpe:2.3:a:buywptemplates:multipurpose:*:*:*:*:*:*:*:* | |
Vendors & Products |
Buywptemplates
Buywptemplates multipurpose |
|
Metrics |
ssvc
|
Thu, 08 Aug 2024 02:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The MultiPurpose theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.0 via deserialization of untrusted input through the 'wpeden_post_meta' post meta. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |
Title | MultiPurpose <= 1.2.0 - Authenticated (Contributor+) PHP Object Injection | |
Weaknesses | CWE-502 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-08-08T01:50:34.257Z
Updated: 2024-08-08T14:00:17.788Z
Reserved: 2024-08-05T12:45:19.110Z
Link: CVE-2024-7486
Vulnrichment
Updated: 2024-08-08T14:00:04.122Z
NVD
Status : Awaiting Analysis
Published: 2024-08-08T02:15:38.577
Modified: 2024-08-08T13:04:18.753
Link: CVE-2024-7486
Redhat
No data.