Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery wp-foodbakery allows Object Injection.This issue affects FoodBakery: from n/a through <= 3.3.
The vulnerability (CWE-502) results from improper deserialization of user-supplied data. An attacker can craft a malicious payload and submit it to a vulnerable entry point of the plugin, resulting in the injection and execution of a PHP object on the server side. If appropriate gadget chains (POP chains) exist in the application or installed components, it is possible to escalate the attack to arbitrary code execution or other critical operations.
An attacker without any authentication can potentially gain full control over the server, including the ability to read and modify data, delete files, or execute arbitrary code (RCE), depending on available gadget chains.
The FoodBakery plugin must be immediately updated to a version higher than 3.3. If an update is not available, the plugin should be deactivated and removed until a patch is released. Details regarding the fix are available in the Patchstack database at the address indicated in the references.
The FoodBakery plugin (wp-foodbakery) by Chimpstudio in all versions up to and including 3.3 (from n/a through <= 3.3) for the WordPress platform.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChimpgroup Foodbakery
APPChimpgroup≤ 3.3
Related vulnerabilities
The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not prope...
WP JobHunt: nieuwierzytelnione przejęcie konta i privilege escalation
WP JobHunt dla WordPress – przejęcie konta przez zmianę adresu e-mail
Authentication bypass w WP JobHunt – przejęcie konta administratora
The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordP...