Nexter Extension Site Enhancements Toolkit Unauthenticated PHP Object Injection Vulnerability
Vulnerability
A PHP Object Injection vulnerability has been identified in the Nexter Extension – Site Enhancements Toolkit plugin for WordPress, affecting all versions through 4.4.6. The vulnerability arises from the deserialization of untrusted input in the 'nxt_unserialize_replace' function, allowing unauthenticated attackers to inject PHP objects. While the vulnerable plugin itself does not have a known PHP Object Injection chain, the issue could be exploited if another plugin or theme with a PHP Object Injection chain is installed, potentially enabling the attacker to delete files, access sensitive information, or execute code, depending on the specific PHP Object Injection chain available.
Impact
Exploitation of this vulnerability could lead to PHP Object Injection, allowing for the injection of PHP objects that could be exploited if a PHP Object Injection chain is present through another plugin or theme.
Remediation
Users are advised to update the Nexter Extension – Site Enhancements Toolkit plugin to version 4.4.7 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.