cbcvebase.
CVE-2023-26326
published 2023-02-23

CVE-2023-26326: The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.82%
88.8th percentile
The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

Affected

1 ranges
VendorProductVersion rangeFixed in
themekraftbuddyforms< 2.7.82.7.8

Detection & IOCsextracted from sources · hover to see the quote

otherupload_image_from_url (WordPress action)
otherphar:// wrapper via url parameter
  • Monitor HTTP requests to WordPress for the 'upload_image_from_url' action containing a 'url' parameter that begins with 'phar://' — this is the direct exploitation vector for CVE-2023-26326.
  • A two-stage attack pattern should be detected: first, a file upload of a PHAR-disguised image via upload_image_from_url, followed by a second request invoking the same action with a phar:// URI pointing to the uploaded file.
  • Flag BuddyForms plugin versions prior to 2.7.8 in WordPress inventory scans as vulnerable to unauthenticated insecure deserialization.
  • ·Exploitation requires a POP (Property Oriented Programming) chain to be present in the WordPress environment; the vulnerability alone is not sufficient for arbitrary code execution without a suitable gadget chain from another loaded plugin or theme.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.