CVE-2023-1347 – Customizer Export/Import < 0.9.6 - Admin+ PHP Object Injection

https://notcve.org/view.php?id=CVE-2023-1347

25 Apr 2023 — The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present The Customizer Export/Import for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 0.9.5 via deserialization of untrusted input from an imported file. This allows administrator-level attackers to inject a PHP Object. No POP chain is present in the vul... • https://wpscan.com/vulnerability/356a5977-c90c-4fc6-98ed-032d5b27f272 • CWE-502: Deserialization of Untrusted Data •