Description

WordPress Plugin Carts Guru is prone to a vulnerability that lets remote attackers inject and execute arbitrary code because the application fails to sanitize user-supplied input before being passed to the unserialize() PHP function. Attackers can possibly exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. WordPress Plugin Carts Guru version 1.4.5 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

http://dumpco.re/bugs/wp-plugin-carts-guru-id

Related Vulnerabilities

Phusion Passenger Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-10345)

WordPress Plugin Codestyling Localization Multiple Vulnerabilities (1.99.30)

WordPress Plugin Registration Forms-User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Open Redirect (3.8.2.2)

WordPress Improper Input Validation Vulnerability (CVE-2008-5695)

Undertow Incorrect Authorization Vulnerability (CVE-2017-12196)

Severity

High

Classification

CVE-2019-12241 CWE-915 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update