Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

Published: 19/03/2025 Updated: 19/03/2025

PHP Object Injection in CozyStay and TinySalt WordPress Plugins via Deserialization

WordPress plugins CozyStay (up to version 1.7.0) and TinySalt (up to version 3.9.0) have a PHP Object Injection vulnerability in their 'ajax_handler' function. This security issue allows unauthenticated attackers to inject PHP Objects through deserialization of untrusted input. While no direct exploit chain is currently known in these plugins, the vulnerability could become serious if another installed plugin or theme contains a Property Oriented Programming (POP) chain. In such a scenario, an attacker might potentially delete files, access sensitive information, or execute code depending on the specific POP chain present in the additional installed software.

Vulnerable Product	Search on Vulmon	Subscribe to Product
loftocean cozystay - hotel booking wordpress theme
loftocean tinysalt - personal food blog wordpress theme

CWE-502 https://nvd.nist.gov https://www.first.org/epss https://themeforest.net/item/cozystay-hotel-booking-wordpress-theme/47383367#item-description__changelog https://themeforest.net/item/tinysalt-personal-food-blog-wordpress-theme/26294668#item-description__changelog https://www.wordfence.com/threat-intel/vulnerabilities/id/61080df6-836f-4365-964a-fa2517e8be5a?source=cve

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2024-13410

Vulnerability Summary

References

Vulmon Search

About

Products

Connect