There is a vulnerability in WordPress 3.9 that allows an attacker to execute arbitrary PHP code (remote code execution) and the details about the same are covered in CVE-2014-5203:
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.
The wp-includes/class-wp-customize-widgets.php script uses the "unserialize()" function with user controlled input. This can be exploited to e.g. potentially execute arbitrary PHP code via a specially crafted serialized object.
Information about the bug:http://ift.tt/1ztcJhd
Can anyone give me an idea on how to exploit it?
Aucun commentaire:
Enregistrer un commentaire