First published: Thu Feb 23 2023(Updated: )
The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
Credit: vulnreport@tenable.com
Affected Software | Affected Version | How to fix |
---|---|---|
Themekraft Buddyforms | <2.7.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-26326 is a vulnerability found in the BuddyForms WordPress plugin versions prior to 2.7.8.
The severity of CVE-2023-26326 is critical with a CVSS score of 9.8.
CVE-2023-26326 allows unauthenticated attackers to exploit an insecure deserialization issue in BuddyForms WordPress plugin versions prior to 2.7.8.
To fix CVE-2023-26326, it is recommended to update the BuddyForms WordPress plugin to version 2.7.8 or newer.
More information about CVE-2023-26326 can be found at the following link: https://www.tenable.com/security/research/tra-2023-7