Ndqkhanh

**Name of the Vulnerable Software and Affected Versions** The Analyticator WordPress plugin versions prior to 6.5.6 **Description** The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present. This is due to the plugin unserializing user input provided via the settings. **Recommendations** For versions prior to 6.5.6, update to version 6.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Custom Admin Interface WordPress plugin versions prior to 7.29 **Description** The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present. This is due to the plugin unserializing user input provided via the settings. **Recommendations** For WP Custom Admin Interface WordPress plugin versions prior to 7.29, update to version 7.29 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Checkout Field Editor (Checkout Manager) for WooCommerce WordPress plugin versions prior to 1.8.0 **Description** The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present. This is due to the plugin unserializing user input provided via the settings. **Recommendations** For versions prior to 1.8.0, update to version 1.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LearnPress WordPress plugin versions prior to 4.1.7.2 **Description** The issue arises from the unserialization of user input in a REST API endpoint, which is accessible to unauthenticated users. This could lead to PHP Object Injection when a suitable gadget is present, resulting in remote code execution (RCE). To exploit this, attackers must have knowledge of the site secrets, enabling them to generate a valid hash via the `wp hash()` function. **Recommendations** For versions prior to 4.1.7.2, update to version 4.1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoint to minimize the risk of exploitation.