[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftpreWPH6LrwginPAh6yOwoG0wAHnOnHQz_JfwEp0G-w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-49781","ottokit-all-in-one-automation-platform-unauthenticated-php-object-injection","OttoKit: All-in-One Automation Platform \u003C= 1.1.27 - Unauthenticated PHP Object Injection","The OttoKit: All-in-One Automation Platform plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.27 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","suretriggers",null,"\u003C=1.1.27","1.1.28","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:46:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F56a93247-f0b5-4801-a759-ef9af11273d7?source=api-prod",5,[22,23,24,25,26,27],"changelog.txt","functions.php","readme.txt","src\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php","src\u002FControllers\u002FGlobalSearchController.php","src\u002FControllers\u002FWebhookRequestsController.php","researched",false,3,"This research plan targets **CVE-2026-49781**, a PHP Object Injection vulnerability in the **OttoKit: All-in-One Automation Platform** plugin.\n\n### 1. Vulnerability Summary\nThe OttoKit plugin (formerly SureTriggers) uses a \"Bridge\" mechanism to communicate with its SaaS platform. In versions up to and including 1.1.27, the plugin exposes a REST API endpoint that accepts a base64-encoded serialized string via the `data` parameter. Because this input is passed directly to `unserialize()` without sufficient authentication or validation during certain states (e.g., before the site is fully connected or via flaws in the signature check), an unauthenticated attacker can inject arbitrary PHP objects.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `POST \u002Fwp-json\u002Fsuretriggers\u002Fv1\u002Fbridge`\n*   **Alternative Endpoint:** `admin-ajax.php?action=handle_trigger_button_click` (via shortcode-generated forms).\n*   **Vulnerable Parameter:** `data` (Body or Query string depending on the handler).\n*   **Authentication:** Unauthenticated.\n*   **Preconditions:** The plugin must be active. The vulnerability is most accessible if the plugin has not yet been \"paired\" with the OttoKit SaaS, or if the signature verification can be bypassed.\n\n### 3. Code Flow\n1.  **Entry Point:** The plugin registers REST routes in `SureTriggers\\Controllers\\RestController` (referenced in `src\u002FControllers\u002FWebhookRequestsController.php`).\n2.  **Route Registration:** The route `\u002Fsuretriggers\u002Fv1\u002Fbridge` is registered with a `permission_callback` that may return `true` or fail to validate signatures when the site is in a \"disconnected\" state.\n3.  **The Sink:** The `bridge` method in `RestController` processes the request:\n    ```php\n    \u002F\u002F Logical flow inside RestController::bridge\n    public function bridge( $request ) {\n        $data = $request->get_param( 'data' ); \u002F\u002F User controlled input\n        if ( ! empty( $data ) ) {\n            $payload = unserialize( base","gemini-3-flash-preview","2026-06-26 04:47:26","2026-06-26 04:49:33",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.1.27","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuretriggers\u002Ftags\u002F1.1.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsuretriggers.1.1.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuretriggers\u002Ftags\u002F1.1.28","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsuretriggers.1.1.28.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuretriggers\u002Ftags"]