Cuokon

**Name of the Vulnerable Software and Affected Versions** WooCommerce Infinite Scroll and Ajax Pagination versions prior to 1.9 **Description** The plugin is subject to PHP Object Injection, a condition where untrusted data is deserialized, allowing an attacker to manipulate the application's logic. The issue occurs within the `import settings` function via the `settings` parameter during the import configuration process, as the system fails to perform necessary capability checks. Authenticated attackers with Subscriber-level access or higher can inject a PHP Object. While the plugin lacks a native POP chain (a sequence of gadgets used to achieve code execution), the presence of a POP chain in another installed plugin or theme could enable the deletion of arbitrary files, retrieval of sensitive data, or remote code execution. **Recommendations** Update to a version later than 1.8. As a temporary mitigation, restrict access to the import configuration feature or disable the `import settings` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GiveWP – Donation Plugin and Fundraising Platform versions 3.16.1 and earlier **Description** The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input through several parameters like `give title` and `card address`. This allows unauthenticated attackers to inject a PHP Object, and the presence of a POP chain enables them to delete arbitrary files and achieve remote code execution. Over 100,000 WordPress sites are estimated to be at risk. **Recommendations** For versions 3.16.1 and earlier, update to version 3.16.2 or later to fully resolve the issue. As a temporary workaround, consider disabling the vulnerable parameters `give title` and `card address` until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.