Nguyen Huu Do

**Nome do software vulnerável e versões afetadas** Versões do plugin Formidable Forms para WordPress anteriores à 6.2 **Descrição** A vulnerabilidade permite que usuários anônimos realizem injeção de objeto PHP quando um gadget adequado está presente, devido à deserialização da entrada do usuário. **Recomendações** Para versões anteriores à 6.2, atualize para a versão 6.2 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso ao plugin para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Ad Inserter WordPress plugin versions prior to 2.7.27 **Description** The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present. This is due to the plugin unserializing user input provided via the settings. **Recommendations** For versions prior to 2.7.27, update to version 2.7.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customizer Export/Import WordPress plugin versions prior to 0.9.6 **Description** The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present. This is due to the plugin unserializing user input provided via the settings. **Recommendations** For versions prior to 0.9.6, update to version 0.9.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SEOPress WordPress plugin versions prior to 6.5.0.3 **Description** The issue allows high-privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present, due to the unserialize of user input provided via the settings. **Recommendations** For versions prior to 6.5.0.3, update to version 6.5.0.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields (ACF) Free and Pro WordPress plugins versions 5.x through 5.12.4 Advanced Custom Fields (ACF) Free and Pro WordPress plugins versions 6.x through 6.0.x **Description** The issue allows users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present, due to the unserialize of user controllable data. **Recommendations** For versions 5.x through 5.12.4, update to version 5.12.5 or later. For versions 6.x through 6.0.x, update to version 6.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** The Photo Gallery by 10Web WordPress plugin versions prior to 1.8.15 **Description** The issue allows high privilege users to upload files outside of the intended uploads folder due to a path traversal vector, potentially enabling them to place images anywhere in the filesystem. **Recommendations** For versions prior to 1.8.15, update to version 1.8.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Revive Old Posts WordPress plugin versions prior to 9.0.11 **Description** The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present, due to the unserialize of user input provided via the settings. **Recommendations** For versions prior to 9.0.11, update to version 9.0.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings page to minimize the risk of exploitation.