WordPress NinjaFirewall plugin <= 4.3.3 - Authenticated PHAR Deserialization vulnerability

ninjafirewall

Software
NinjaFirewall
Versions
<= 4.3.3
Disclosure date
2021-05-30
Classification
PHP Object Injection
OWASP Top 10
A8: Insecure Deserialization
CVSS 3.0 score

3.8

Low

Requires admin authentication.

Are your websites subject to this vulnerability?

Details

Authenticated PHAR Deserialization vulnerability discovered by Chloe Chamberland in WordPress NinjaFirewall plugin (versions <= 4.3.3).

Solution

Update the WordPress NinjaFirewall plugin to the latest available version (at least 4.3.4).

Found a vulnerability that puts your sites at risk?

Found a vulnerability? Help us secure the web and join our community of ethical hackers.

Are you the developer of this software? Hire our researchers for a thorough security audit.