CVE-2023-4643

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
8.8HIGH
EPSS
0.5%
top 33.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Enable Media ReplaceShortpixel Enable Media Replace
Timeline
PublishedOct 16

Description

The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5unknown/enable_media_replace< 4.1.3

🔴Vulnerability Details

2
CVEList
Enable Media Replace < 4.1.3 - Author+ PHP Object Injection2023-10-16
GHSA
GHSA-h9gw-q7wq-vrfv: The Enable Media Replace WordPress plugin before 42023-10-16
CVE-2023-4643 (HIGH CVSS 8.8) | The Enable Media Replace WordPress | cvebase.io