CVE-2023-26326

State: PUBLISHED · Published: 2023-02-23 · Updated: 2025-03-12 · Assigner: tenable

Description

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

CWE

(none)

Affected

n/a / BuddyForms WordPress Plugin — v=All versions prior to version 2.7.8 [affected]

CVSS

(none)

References

https://www.tenable.com/security/research/tra-2023-7

Source

cvelistV5-main/cves/2023/26xxx/CVE-2023-26326.json