cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-10936,https://securityvulnerability.io/vulnerability/CVE-2024-10936,PHP Object Injection Vulnerability in String Locator Plugin for WordPress,"The String Locator plugin for WordPress contains a vulnerability that allows for PHP Object Injection due to improper handling of untrusted input during deserialization in the 'recursive_unserialize_replace' function. This flaw affects all versions up to and including 2.6.6. Attackers can exploit this vulnerability without authentication, potentially leading to the execution of arbitrary code, deletion of files, or unauthorized access to sensitive information if a suitable PHP Object Payload (POP) chain exists via other themes or plugins installed on the same site. The exploitation is triggered when an administrator initiates a search and replace action.",Wordpress,String Locator,8.8,HIGH,0.0006300000241026282,false,,false,false,false,false,false,false,2025-01-21T08:21:51.041Z,0
CVE-2023-6987,https://securityvulnerability.io/vulnerability/CVE-2023-6987,Reflected Cross-Site Scripting Vulnerability in String locator for WordPress,"The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited.",Wordpress,String Locator,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-08-24T02:02:28.310Z,0
CVE-2022-2434,https://securityvulnerability.io/vulnerability/CVE-2022-2434,Deserialization Vulnerability in String Locator Plugin for WordPress,"The String Locator plugin for WordPress suffers from a deserialization vulnerability due to improper handling of the 'string-locator-path' parameter. This exploit allows unauthenticated users to invoke files via a PHAR wrapper, potentially leading to significant security breaches if a site administrator unknowingly triggers malicious actions, such as clicking on a deceptive link. For an exploit to succeed, attackers must also upload a file containing a serialized payload. This vulnerability highlights the critical importance of validating and sanitizing user inputs to prevent unwarranted access and actions within WordPress plugins.",Wordpress,String Locator,8.8,HIGH,0.0019399999873712659,false,,false,false,false,,false,false,2022-09-06T17:18:57.000Z,0
CVE-2022-0493,https://securityvulnerability.io/vulnerability/CVE-2022-0493,String Locator < 2.5.0 - Admin+ Arbitrary File Read,"The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search, allowing a pattern to be provided, which will be used to output the relevant matches from the matching file, all content of the file can be disclosed.",Wordpress,String Locator,4.9,MEDIUM,0.0007699999841861427,false,,false,false,false,,false,false,2022-03-28T17:22:54.000Z,0