CVE-2023-1549
Published: 15 May 2023
Summary
CVE-2023-1549 is a high-severity an unspecified weakness vulnerability in Ad Inserter Project Ad Inserter. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Ad Inserter WordPress plugin before version 2.7.27 contains a PHP Object Injection vulnerability stemming from unsafe unserialization of user-supplied settings data. The affected component is the plugin's configuration handling routine, which processes attacker-controlled input without adequate sanitization or validation.
High-privilege users such as administrators can supply malicious serialized objects through the plugin settings interface. When a suitable gadget chain exists in the WordPress environment, this enables arbitrary object instantiation that may lead to remote code execution, file manipulation, or privilege escalation, consistent with the CVSS 7.2 rating reflecting network-accessible impact under high privileges.
The referenced WPScan advisories identify the flaw in versions prior to 2.7.27 and indicate that updating to the patched release mitigates the issue by removing the unsafe unserialize call.
EPSS for this CVE rose from lower values to a peak of 0.2036 on 2026-02-07 before receding to the current 0.0559, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23783
Vulnerability details
The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.