Description
This web application is using Object Reflection in an insecure way. Object Reflection is a programming technique used to inspect and change the behavior of a program at runtime. Object Reflection allows instantiation of new objects, methods, and get/set operations on class variables dynamically at run time without having prior knowledge of its implementation.
It was determined that an attacker can control the class name to be instantiated via externally-controlled user input.
Remediation
Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.
References
Related Vulnerabilities
WordPress Plugin WP Mail Logging Security Bypass (1.11.2)
WordPress Plugin MediaPress Security Bypass (1.1.9)
WordPress Plugin YITH Desktop Notifications for WooCommerce Security Bypass (1.2.7)
WordPress Plugin YITH WooCommerce Multi Vendor Security Bypass (3.4.0)
WordPress Plugin Theme Blvd Widget Areas Multiple Security Bypass Vulnerabilities (1.2.2)