https://www.pluginvulnerabilities.com/2017/09/01/php-object-injection-vulnerability-in-videowhisper-live-streaming/

Recently we found that the plugin VideoWhisper Live Streaming contained a PHP object injection vulnerability.

The plugin makes the function vwls_calls() available through WordPress’ AJAX functionality whether the requester is logged in to WordPress or not (in the file /videowhisper_streaming.php ):

94 95 add_action( ‘wp_ajax_vwls’, array(‘VWliveStreaming’,’vwls_calls’)); add_action( ‘wp_ajax_nopriv_vwls’, array(‘VWliveStreaming’,’vwls_calls’));

add_action( ‘wp_ajax_vwls’, array(‘VWliveStreaming’,’vwls_calls’)); add_action( ‘wp_ajax_nopriv_vwls’,

Powered by WPeMatico