CVE-2020-35938

CWE-502Deserialization of Untrusted DataCWE-743 documents3 sources
Severity
8.8HIGH
EPSS
1.3%
top 19.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pickplugins Post GridPickplugins Team Showcase
Timeline
PublishedJan 1
Latest updateMay 24

Description

PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

NVDpickplugins/post_grid< 2.0.73

🔴Vulnerability Details

2
GHSA
GHSA-gpmw-c588-4p7h: PHP Object injection vulnerabilities in the Post Grid plugin before 22022-05-24
CVEList
CVE-2020-35938: PHP Object injection vulnerabilities in the Post Grid plugin before 22021-01-01
CVE-2020-35938 (HIGH CVSS 8.8) | PHP Object injection vulnerabilitie | cvebase.io