Vulnerabilities > Deserialization of Untrusted Data

DATE	CVE	VULNERABILITY TITLE	RISK
2025-03-17	CVE-2025-2376	A vulnerability has been found in viames Pair Framework up to 1.9.11 and classified as critical. network low complexity CWE-502	7.3
2025-03-14	CVE-2025-2000	A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. network low complexity CWE-502 critical	9.8
2025-03-14	CVE-2024-13824	Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions Ciyashop The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. network low complexity potenzaglobalsolutions CWE-502 critical	9.8
2025-03-13	CVE-2024-10942	The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. network high complexity CWE-502	7.5
2025-03-07	CVE-2024-13906	The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via deserialization of untrusted input in the 'import_gallery_from_csv' function. network low complexity CWE-502	7.2
2025-03-06	CVE-2025-2043	A vulnerability was found in LinZhaoguan pb-cms 1.0.0 and classified as critical. network low complexity CWE-502	4.7
2025-03-05	CVE-2024-13777	The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input from the 'margs' parameter. network high complexity CWE-502	8.1
2025-03-05	CVE-2024-13787	The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. network low complexity CWE-502 critical	9.8
2025-03-04	CVE-2025-0912	Deserialization of Untrusted Data vulnerability in Givewp The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. network low complexity givewp CWE-502 critical	9.8
2025-03-03	CVE-2025-26967	Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection. network low complexity CWE-502	8.8