CVE-2023-5235

Severity CVSS v4.0:
Pending analysis
Type:
CWE-502 Deserialization of Untrusted Dat
Publication date:
08/01/2024
Last modified:
11/06/2025

Description

The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:kutethemes:ovic_responsive_wpbakery:*:*:*:*:*:wordpress:*:* 1.2.9 (excluding)