CVE-2023-6049

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.8%

top 25.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Estatik Real Estate Plugin Estatik Estatik

Timeline

PublishedJan 15

Description

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/estatik_real_estate_plugin< 4.1.1

▶NVDestatik/estatik< 4.1.1

🔴Vulnerability Details

GHSA

GHSA-5fvv-qqh5-frx3: The Estatik Real Estate Plugin WordPress plugin before 4↗2024-01-15

▶

CVEList

Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection↗2024-01-15

▶