Volerion logoVolerion
Volerion logoVolerion

String Locator WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

Vulnerability

A PHP Object Injection vulnerability has been identified in the String Locator plugin for WordPress, affecting all versions through 2.6.6. The issue arises from the deserialization of untrusted input in the 'recursive_unserialize_replace' function, allowing unauthenticated attackers to inject PHP objects. While the vulnerable plugin version does not have a known payload execution chain, such a chain could potentially be exploited if an additional vulnerable plugin or theme is installed, leading to arbitrary file deletion, sensitive data exposure, or code execution. The vulnerability is triggered when an administrator performs a search and replace action.

Impact

Exploitation of this vulnerability allows for PHP Object Injection, which could be leveraged to execute arbitrary code, delete files, or access sensitive information, especially if combined with a suitable payload execution chain from another plugin or theme.

Remediation

Users are advised to update the String Locator WordPress plugin to version 2.6.7 or later.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
7.5
exploitability
7.2
remediation
7.7
relevance
0.0
threat
3.5
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.