CVE-2023-3343

Name of the Vulnerable Software and Affected Versions User Registration plugin for WordPress versions up to, and including, 3.0.1

Description The issue allows authenticated attackers with subscriber-level permissions and above to inject a PHP Object via deserialization of untrusted input from the profile-pic-url parameter. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present via an additional plugin or theme installed on the target system.

Recommendations For versions up to, and including, 3.0.1, update to a version that contains a fix for this issue to prevent PHP Object Injection. As a temporary workaround, consider restricting access to the profile-pic-url parameter to minimize the risk of exploitation.