CVE-2023-1347 – Customizer Export/Import < 0.9.6 - Admin+ PHP Object Injection

https://notcve.org/view.php?id=CVE-2023-1347

The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present The Customizer Export/Import for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 0.9.5 via deserialization of untrusted input from an imported file. This allows administrator-level attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://wpscan.com/vulnerability/356a5977-c90c-4fc6-98ed-032d5b27f272 • CWE-502: Deserialization of Untrusted Data •