Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2025-01-23 CVE-2025-23006 Deserialization of Untrusted Data vulnerability in Sonicwall products
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
network
low complexity
sonicwall CWE-502
critical
9.8
2025-01-22 CVE-2024-31903 Deserialization of Untrusted Data vulnerability in IBM Sterling B2B Integrator
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the deserialization of untrusted data.
low complexity
ibm CWE-502
8.8
2025-01-22 CVE-2025-0428 Deserialization of Untrusted Data vulnerability in Aipower
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function.
network
low complexity
aipower CWE-502
7.2
2025-01-22 CVE-2025-0429 Deserialization of Untrusted Data vulnerability in Aipower
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function.
network
low complexity
aipower CWE-502
7.2
2025-01-21 CVE-2024-10936 Deserialization of Untrusted Data vulnerability in Instawp String Locator
The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function.
network
low complexity
instawp CWE-502
8.8
2025-01-20 CVE-2025-0586 The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary code execution.
network
low complexity
CWE-502
7.2
2025-01-11 CVE-2024-12877 Deserialization of Untrusted Data vulnerability in Givewp
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'.
network
low complexity
givewp CWE-502
critical
9.8
2025-01-11 CVE-2024-12627 The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via deserialization of untrusted input from post content passed to the capture_email AJAX action.
network
high complexity
CWE-502
7.5
2025-01-07 CVE-2024-11465 Deserialization of Untrusted Data vulnerability in Yikesinc Custom Product Tabs for Woocommerce
The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter.
network
low complexity
yikesinc CWE-502
7.2
2025-01-07 CVE-2024-12313 The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie.
network
high complexity
CWE-502
8.1