Description
Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.
Remediation
References
Related Vulnerabilities
WordPress Plugin Universal Star Rating Unspecified Vulnerability (1.10.3)
WordPress Plugin Accordion Shortcodes Cross-Site Scripting (2.4.2)
WordPress Plugin WP-Live Chat by 3CX Cross-Site Scripting (8.0.17)
Atlassian Jira Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2021-41305)
WordPress Plugin WP Fastest Cache Arbitrary File Deletion (0.8.9.0)