Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2025-03-20 CVE-2024-13921 Deserialization of Untrusted Data vulnerability in Webtoffee Order Export & Order Import for Woocommerce
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.0 via deserialization of untrusted input from the 'form_data' parameter.
network
low complexity
webtoffee CWE-502
7.2
7.2
2025-03-19 CVE-2024-13410 The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function.
network
low complexity
CWE-502
critical
 9.8
9.8
2025-03-17 CVE-2025-2376 A vulnerability has been found in viames Pair Framework up to 1.9.11 and classified as critical.
network
low complexity
CWE-502
7.3
7.3
2025-03-14 CVE-2025-2000 A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13.
network
low complexity
CWE-502
critical
 9.8
9.8
2025-03-14 CVE-2024-13824 Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions Ciyashop
The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions.
network
low complexity
potenzaglobalsolutions CWE-502
critical
 9.8
9.8
2025-03-13 CVE-2024-10942 The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function.
network
high complexity
CWE-502
7.5
7.5
2025-03-07 CVE-2024-13906 The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via deserialization of untrusted input in the 'import_gallery_from_csv' function.
network
low complexity
CWE-502
7.2
7.2
2025-03-06 CVE-2025-2043 A vulnerability was found in LinZhaoguan pb-cms 1.0.0 and classified as critical.
network
low complexity
CWE-502
4.7
4.7
2025-03-05 CVE-2024-13777 The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input from the 'margs' parameter.
network
high complexity
CWE-502
8.1
8.1
2025-03-05 CVE-2024-13787 The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function.
network
low complexity
CWE-502
critical
 9.8
9.8