CVE-2018-6195

Name of the Vulnerable Software and Affected Versions wp-splashing-images versions prior to 2.1.1

Description The issue allows authenticated remote attackers, with roles such as administrator, editor, or author, to conduct PHP Object Injection attacks. This is achieved by sending crafted serialized data in the session HTTP GET parameter to the "wp-admin/upload.php" endpoint.

Recommendations For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/upload.php" endpoint for non-administrator users until the update is applied.