QwikSec

Security Database

CVE

CWE

Training

CVE-2018-6195

Published: Jan 30, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://plugins.trac.wordpress.org/changeset/1807349/wp-splashing-images

x_refsource_CONFIRM

20180126 [CVE-2018-6194, CVE-2018-6195] PHP Object Injection + XSS in WordPress Splashing Images Plugin

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/146109/WordPress-Splashing-Images-2.1-Cross-Site-Scripting-PHP-Object-Injection.html

x_refsource_MISC

https://wpvulndb.com/vulnerabilities/9015

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.