Description
WordPress Plugin String locator is prone to a deserialization vulnerability. Attackers can possibly exploit this issue to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions, granted a POP chain is also present. WordPress Plugin String locator version 2.5.0 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.6.0 or latest
References
Related Vulnerabilities
MediaWiki CVE-2017-8812 Vulnerability (CVE-2017-8812)
Drupal Core 6.x Multiple Vulnerabilities (6.0 - 6.28)
Oracle Database Server CVE-2015-4794 Vulnerability (CVE-2015-4794)
WordPress 6.1.x Shortcode Execution (6.1 - 6.1.2)
WordPress Plugin PickPlugins Product Slider for WooCommerce Unspecified Vulnerability (1.13.23)