CVE-2023-28667

Name of the Vulnerable Software and Affected Versions The Lead Generated WordPress Plugin version <= 1.23

Description The issue is related to an unauthenticated insecure deserialization problem. The tve labels parameter of the tve api form submit action is passed to the PHP unserialize() function without proper sanitization or verification. This could lead to PHP object injection, which, when combined with specific class implementations or gadget chains, and a POP chain, could be used to perform various malicious actions.

Recommendations For The Lead Generated WordPress Plugin version <= 1.23, consider updating to a version that fixes this issue, as using the unserialize() function without proper input validation poses a significant risk. As a temporary workaround, consider restricting access to the tve api form submit action to minimize the risk of exploitation. Avoid using the tve labels parameter in the affected action until the issue is resolved.