Cyber Resilience

CVE-2023-1549

HighPublic PoC

Published: 15 May 2023

Published
15 May 2023
Modified
24 January 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0559 90.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1549 is a high-severity an unspecified weakness vulnerability in Ad Inserter Project Ad Inserter. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Ad Inserter WordPress plugin before version 2.7.27 contains a PHP Object Injection vulnerability stemming from unsafe unserialization of user-supplied settings data. The affected component is the plugin's configuration handling routine, which processes attacker-controlled input without adequate sanitization or validation.

High-privilege users such as administrators can supply malicious serialized objects through the plugin settings interface. When a suitable gadget chain exists in the WordPress environment, this enables arbitrary object instantiation that may lead to remote code execution, file manipulation, or privilege escalation, consistent with the CVSS 7.2 rating reflecting network-accessible impact under high privileges.

The referenced WPScan advisories identify the flaw in versions prior to 2.7.27 and indicate that updating to the patched release mitigates the issue by removing the unsafe unserialize call.

EPSS for this CVE rose from lower values to a peak of 0.2036 on 2026-02-07 before receding to the current 0.0559, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ad inserter project
ad inserter
≤ 2.7.27

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References