CVE-2023-26326
published 2023-02-23CVE-2023-26326: The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.82%
88.8th percentile
The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themekraft | buddyforms | < 2.7.8 | 2.7.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to WordPress for the 'upload_image_from_url' action containing a 'url' parameter that begins with 'phar://' — this is the direct exploitation vector for CVE-2023-26326. ↗
- →A two-stage attack pattern should be detected: first, a file upload of a PHAR-disguised image via upload_image_from_url, followed by a second request invoking the same action with a phar:// URI pointing to the uploaded file. ↗
- →Flag BuddyForms plugin versions prior to 2.7.8 in WordPress inventory scans as vulnerable to unauthenticated insecure deserialization. ↗
- ·Exploitation requires a POP (Property Oriented Programming) chain to be present in the WordPress environment; the vulnerability alone is not sufficient for arbitrary code execution without a suitable gadget chain from another loaded plugin or theme. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2023-02-23
Published