Leafcolor Applay Shortcodes Plugin PHP Object Injection Vulnerability

A deserialization vulnerability allowing object injection has been identified in the Leafcolor Applay Shortcodes WordPress plugin, affecting versions through 3.7. This vulnerability arises from the deserialization of untrusted data, which could potentially lead to various types of code injection, including PHP object injection.

Impact

Exploitation of this vulnerability could allow for PHP object injection, which, if a suitable property-oriented programming (POP) chain is available, could be leveraged to execute arbitrary code, inject malicious SQL, traverse the file system in an unauthorized manner, cause a denial-of-service condition, or achieve other harmful effects.

Remediation

Users are advised to update to a version of the Leafcolor Applay Shortcodes WordPress plugin that is later than 3.7. For those seeking immediate protection, Patchstack has released a mitigation rule that can be applied until an official patch is available.