https://www.pluginvulnerabilities.com/2017/08/28/cross-site-request-forgery-csrfphp-object-injection-vulnerability-in-jayj-quicktag/

We recently found that the plugin Jayj Quicktag contained a cross-site request forgery (CSRF)/PHP object injection vulnerability.

The plugin’s settings page is generated with the function jayj_quicktag_options_page() in the file /jayj-quicktag.php. In that file if the POST input “jayj-quicktag-import-save” exists then the maybe_unserialize() function will be run on the POST input “jayj-quicktag-import”, which permits PHP object injection to occur:

Share This

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.