Kata Plus - Insecure deserialization
Summary
Full name
Kata Plus - Addons for Elementor - Widgets, Extensions and Templates 1.5.2 - Insecure deserialization
Code name
State
Private
Release date
3 de jan. de 2025
Affected product
Kata Plus - Addons for Elementor - Widgets, Extensions and Templates
Affected version(s)
Version 1.5.2
Vulnerability name
Insecure deserialization
Vulnerability type
Remotely exploitable
No
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
Exploit available
No
CVE ID(s)
Description
Kata Plus - Addons for Elementor - Widgets, Extensions and Templates 1.5.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/includes/theme-options/plugins/customizer-export-import/classes/class-cei-core.php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in Kata Plus - Addons for Elementor - Widgets, Extensions and Templates 1.5.2. The following is the output of the tool:
Skims output
Our security policy
We have reserved the ID CVE-2025-0768 to refer to this issue from now on.
System Information
Version: Kata Plus - Addons for Elementor - Widgets, Extensions and Templates 1.5.2
Mitigation
There is currently no patch available for this vulnerability.
Timeline
Vulnerability discovered
3 de jan. de 2025
Vendor contacted
3 de jan. de 2025
