The Feed Them Social – for Twitter feed, Youtube and more...
Critical severity
Unreviewed
Published
Jul 19, 2022
to the GitHub Advisory Database
•
Updated Oct 20, 2023
Description
Published by the National Vulnerability Database
Jul 18, 2022
Published to the GitHub Advisory Database
Jul 19, 2022
Last updated
Oct 20, 2023
The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
References