CVE-2024-0668

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

7.2HIGH

EPSS

0.5%

top 32.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symptote Advanced Database Cleaner – Optimize & Clean Database TO Speed UP Site Performance Sigmaplugin Advanced Database Cleaner

Timeline

PublishedFeb 5

Latest updateFeb 6

Description

The Advanced Database Cleaner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.3 via deserialization of untrusted input in the 'process_bulk_action' function. This makes it possible for authenticated attacker, with administrator access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to dele…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages2 packages

▶NVDsigmaplugin/advanced_database_cleaner3.1.3

▶CVEListV5symptote/advanced_database_cleaner_–_optimize_&_clean_database_to_speed_up_site_performance3.1.3

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-fvvm-3cr2-6qx2: The Advanced Database Cleaner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3↗2024-02-06

▶

CVEList

Advanced Database Cleaner <= 3.1.3 - Authenticated(Administrator+) PHP Object Injection via process_bulk_action↗2024-02-05

▶