CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49625 – WordPress SiteBuilder Dynamic Components plugin <= 1.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-49625
Deserialization of Untrusted Data vulnerability in Brandon Clark SiteBuilder Dynamic Components allows Object Injection.This issue affects SiteBuilder Dynamic Components: from n/a through 1.0. The SiteBuilder Dynamic Components plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/vulnerability/sitebuilder-dynamic-components/wordpress-sitebuilder-dynamic-components-plugin-1-0-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18604 – SiteBuilder Dynamic Components <= 1.0 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2017-18604
The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request. El plugin sitebuilder-dynamic-components versiones hasta 1.0 para WordPress, presenta una inyección de objetos PHP por medio de una petición AJAX. • https://wordpress.org/plugins/sitebuilder-dynamic-components/#developers https://wpvulndb.com/vulnerabilities/8829 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •