Captivate Sync - Insecure deserialization
1.7
Low
Summary
Full name
Captivate Sync 3.0. - Insecure deserialization
Code name
State
Private
Release date
Mar 14, 2025
Affected product
Captivate Sync
Affected version(s)
Version 3.0.
Vulnerability name
Insecure deserialization
Vulnerability type
Remotely exploitable
No
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
CVSS v4.0 base score
1.7
Exploit available
No
CVE ID(s)
Description
Captivate Sync 3.0. was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/inc/class-captivate-sync-shortcode .php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in Captivate Sync 3.0.. The following is the output of the tool:
Skims output
293 | public static function shortcode_loadmore() {
294 |
295 | $output = '';
296 |
297 | if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], '_cfm_front_nonce' ) ) {
298 | $output = '<p><strong>ERROR:</strong> Something went wrong! Please refresh the page and try again.</p>';
299 | }
300 | else {
> 301 | $a = unserialize( base64_decode( $_POST['shortcode_atts'] ) );
302 | $show_ids = ( '' != $a['show_id'] ) ? explode( ',', $a['show_id'] ) : array();
303 | $episode_ids = ( '' != $a['episode_id'] ) ? explode( ',', $a['episode_id'] ) : array();
304 |
305 | if ( ! empty( $show_ids ) || ! empty( $episode_ids ) ) {
306 |
307 | $paged = sanitize_text_field( wp_unslash( $_POST['current_page'] ) );
308 | $podcasts = ( ! empty( $episode_ids ) ) ? cfm_get_show_ids() : $show_ids;
309 | $orderby = ( 'episodes' == $a['order'] ) ? 'post__in' : 'date';
310 |
311 | $get_episodes = array(
312 | 'post_type' => 'captivate_podcast',
313 | 'posts_per_page' => (int) $a['items'],
314 | 'orderby' => $orderby,
315 | 'order' => $a['order'],
316 | 'post_status' => array( 'publish' ),
317 | 'meta_query' => array(
318 | array(
319 | 'key' => 'cfm_show_id',
320 | 'value' => $podcasts,
321 | 'compare' => 'IN',
322 | ),
323 | array(
324 | 'relation' => 'OR',
325 | array(
326 | 'key' => 'cfm_episode_website_active',
327 | 'value' => '1',
328 | 'compare' => '='
329 | ),
330 | array(
331 | 'key' => 'cfm_episode_website_active',
332 | 'compare' => 'NOT EXISTS',
333 | )
334 | )
335 | ),
336 | 'paged' => $paged,
337 | );
338 |
339 | if ( ! empty( $episode_ids ) ) {
340 | $get_episodes['post__in'] = $episode_ids;
341 | }
342 |
343 | $episodes = new WP_Query( $get_episodes );
344 |
345 | if ( $episodes->have_posts() ) {
346 |
347 | $cfm_general_settings = get_option( 'cfm_general_settings' );
348 | $season_episode_number_enable = isset( $cfm_general_settings['season_episode_number_enable'] ) ? $cfm_general_settin
349 |
350 | $layout_class = $a['layout'] == 'grid' ? 'cfm-episodes-grid' : 'cfm-episodes-list';
351 | $column_class = $a['layout'] == 'grid' ? ' cfm-episodes-cols-' . $a['columns'] : '';
352 |
353 | // output style if at least one color is set.
354 | if ( '' != $a['title_color'] || $a['title_hover_color'] || $a['link_text_color'] || $a['link_text_hover_color'] ) {
355 | $output .= '<style>';
356 | $output .= ( '' != $a['title_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-title a{color:' . sanitize_hex_col
357 | $output .= ( '' != $a['title_hover_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-title a:hover{color:' . sani
358 | $output .= ( '' != $a['link_text_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-link a {color:' . sanitize_hex
359 | $output .= ( '' != $a['link_text_hover_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-link a:hover{color:' . s
360 | $output .= '</style>';
361 | }
362 |
363 | while ( $episodes->have_posts() ) :
364 |
365 | $episodes->the_post();
366 | $post_id = get_the_ID();
367 | $episode_title = get_the_title();
368 | $featured_image_class = has_post_thumbnail( $post_id ) && ( $a['image'] == 'left' || $a['image'] == 'right' ) && $a
369 | $player = '<div class=""cfm-episode-player"">' . cfm_captivate_player( $post_id ) . '</div>';
370 |
371 | $cfm_show_id = get_post_meta( $post_id, 'cfm_show_id', true );
372 | $show_se_number_enable = cfm_get_show_info( $cfm_show_id, 'season_episode_number_enable' );
373 |
374 | // season and episode number.
375 | if ( 'show' == $a['se_num'] && '1' != $season_episode_number_enable && '1' != $show_se_number_enable ) {
376 | $episode_title = cfm_get_se_num_format( $post_id ) . get_the_title();
377 | }
378 |
379 | // title tag.
380 | $allowed_tags = array( 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'p');
381 | $title_tag = in_array( $a['title_tag'], $allowed_tags ) ? $a['title_tag'] : 'h2';
382 |
383 | $output .= '<div class=""cfm-episode-wrap' . $featured_image_class . '"">';
384 |
385 | // featured image left container start.
386 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'left' && $a['layout'] == 'list' )
387 | $output .= '<div class=""cfm-episode-image-left""><div class=""cfm-episode-image""><a href=""' . get_permalink() . '"">
388 |
389 | // featured image left container end, content right start.
390 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'left' && $a['layout'] == 'list' )
391 | $output .= '</div><div class=""cfm-episode-content-right"">';
392 |
393 | // content left start.
394 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'right' && $a['layout'] == 'list' )
395 | $output .= '<div class=""cfm-episode-content-left"">';
396 |
397 | // featured image above title.
398 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'above_title' )
399 | $output .= '<div class=""cfm-episode-image""><a href=""' . get_permalink() . '"">' . get_the_post_thumbnail( $post_id
400 |
401 | // title.
402 | if ( $a['title'] == 'show' )
403 | $output .= '<div class=""cfm-episode-title""><' . $title_tag . '><a href=""' . get_permalink() . '"">' . $episode_tit
404 |
405 | // featured image below title.
406 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'below_title' )
407 | $output .= '<div class=""cfm-episode-image""><a href=""' . get_permalink() . '"">' . get_the_post_thumbnail( $post_id
408 |
409 | // player above content.
410 | if ( $a['player'] == 'above_content' )
411 | $output .= $player;
412 |
413 | // content excerpt.
414 | if ( $a['content'] == 'excerpt' )
415 | $output .= '<div class=""cfm-episode-content"">' . wp_trim_words( get_the_excerpt(), $a['content_length'], '...' )
416 |
417 | // content full text.
418 | if ( $a['content'] == 'fulltext' )
419 | $output .= '<div class=""cfm-episode-content"">' . get_the_content() . '</div>';
420 |
421 | // player below content.
422 | if ( $a['player'] == 'below_content' )
423 | $output .= $player;
424 |
425 | // permalink.
426 | if ( $a['link'] == 'show' )
427 | $output .= '<div class=""cfm-episode-link""><a href=""' . get_permalink() . '"">' . esc_html( $a['link_text'] ) . '</
428 |
429 | // content right end.
430 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'left' && $a['layout'] == 'list' )
431 | $output .= '</div>';
432 |
433 | // content left end, featured image right container start.
434 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'right' && $a['layout'] == 'list' )
435 | $output .= '</div><div class=""cfm-episode-image-right""><div class=""cfm-episode-image""><a href=""' . get_permalink(
436 |
437 | $output .= '</div>';
438 |
439 | endwhile;
440 |
441 | wp_reset_postdata();
442 |
443 | }
444 | else {
445 | $output = 'no_more';
446 | }
447 |
448 | }
449 | else {
450 | $output = 'nothing_found';
451 | }
452 |
453 | }
454 |
455 | echo $output;
456 |
457 | wp_die();
458 |
459 | }
^ Col 0Our security policy
We have reserved the ID CVE-2025-31306 to refer to this issue from now on. Disclosure policy
System Information
Product: Captivate Sync
Version: 3.0.
Mitigation
There is currently no patch available for this vulnerability.
Timeline
Vulnerability discovered
Mar 14, 2025
Vendor contacted
Mar 14, 2025
Start your 21-day free trial
Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.
Start your 21-day free trial
Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.
Start your 21-day free trial
Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Targets
Resources
SOC 2 Type II
SOC 3
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
© 2025 Fluid Attacks. We hack your software.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Targets
Resources
SOC 2 Type II
SOC 3
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
© 2025 Fluid Attacks. We hack your software.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Targets
Resources
SOC 2 Type II
SOC 3
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
© 2025 Fluid Attacks. We hack your software.