JS Archive List WordPress Plugin PHP Object Injection Vulnerability
Vulnerability
A PHP Object Injection vulnerability has been identified in the JS Archive List plugin for WordPress, affecting all versions through 6.1.7. The vulnerability arises from the deserialization of untrusted input in the 'included' shortcode attribute. This flaw allows authenticated attackers with Contributor-level access or higher to inject PHP objects. While no known object injection chain exists within the vulnerable plugin itself, an attacker could exploit this vulnerability in conjunction with a compromised plugin or theme to delete files, access sensitive information, or execute code.
Impact
Exploitation of this vulnerability could lead to unauthorized PHP object injection, with potential consequences depending on the presence of a suitable object injection chain through other plugins or themes.
Remediation
Users are advised to update the JS Archive List WordPress plugin to version 6.2.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.