CVE-2023-26326
CVSS V2 None
CVSS V3 None
Description
The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
Overview
- CVE ID
- CVE-2023-26326
- Assigner
- vulnreport@tenable.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-02-23T20:15:14
- Last Modified Date
- 2023-03-03T16:46:29
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:themekraft:buddyforms:*:*:*:*:*:wordpress:*:* | 1 | OR | 2.7.8 |
References
| Reference URL | Reference Tags |
|---|---|
| https://www.tenable.com/security/research/tra-2023-7 | Exploit Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-26326 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26326 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 05:23:42 | Added to TrackCVE | |||
| 2023-04-17 05:23:45 | Weakness Enumeration | new |