CVE-2023-26326

CRITICAL

BuddyForms <2.7.8 - Insecure Deserialization

Title source: llm

Description

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

Exploits (2)

nomisec WORKING POC 1 stars

by omarelshopky · poc

https://github.com/omarelshopky/exploit_cve-2023-26326_using_cve-2024-2961

View Code ZIP pw:eip

nomisec WORKING POC

by mesudmammad1 · poc

https://github.com/mesudmammad1/CVE-2023-26326_Buddyform_exploit

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://www.tenable.com/security/research/tra-2023-7

Scores

CVSS v3 9.8

EPSS 0.4504

EPSS Percentile 97.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

themekraft/buddyforms < 2.7.8

Timeline

Published Feb 23, 2023

Tracked Since Feb 18, 2026