Captivate Sync - Insecure deserialization
1,7
Low
Summary
Full name
Captivate Sync 3.0. - Insecure deserialization
Code name
State
Private
Release date
14 mar 2025
Affected product
Captivate Sync
Affected version(s)
Version 3.0.
Vulnerability name
Insecure deserialization
Vulnerability type
Remotely exploitable
No
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
CVSS v4.0 base score
1.7
Exploit available
No
CVE ID(s)
Description
Captivate Sync 3.0. was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/inc/class-captivate-sync-shortcode .php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in Captivate Sync 3.0.. The following is the output of the tool:
Skims output
293 | public static function shortcode_loadmore() {
294 |
295 | $output = '';
296 |
297 | if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], '_cfm_front_nonce' ) ) {
298 | $output = '<p><strong>ERROR:</strong> Something went wrong! Please refresh the page and try again.</p>';
299 | }
300 | else {
> 301 | $a = unserialize( base64_decode( $_POST['shortcode_atts'] ) );
302 | $show_ids = ( '' != $a['show_id'] ) ? explode( ',', $a['show_id'] ) : array();
303 | $episode_ids = ( '' != $a['episode_id'] ) ? explode( ',', $a['episode_id'] ) : array();
304 |
305 | if ( ! empty( $show_ids ) || ! empty( $episode_ids ) ) {
306 |
307 | $paged = sanitize_text_field( wp_unslash( $_POST['current_page'] ) );
308 | $podcasts = ( ! empty( $episode_ids ) ) ? cfm_get_show_ids() : $show_ids;
309 | $orderby = ( 'episodes' == $a['order'] ) ? 'post__in' : 'date';
310 |
311 | $get_episodes = array(
312 | 'post_type' => 'captivate_podcast',
313 | 'posts_per_page' => (int) $a['items'],
314 | 'orderby' => $orderby,
315 | 'order' => $a['order'],
316 | 'post_status' => array( 'publish' ),
317 | 'meta_query' => array(
318 | array(
319 | 'key' => 'cfm_show_id',
320 | 'value' => $podcasts,
321 | 'compare' => 'IN',
322 | ),
323 | array(
324 | 'relation' => 'OR',
325 | array(
326 | 'key' => 'cfm_episode_website_active',
327 | 'value' => '1',
328 | 'compare' => '='
329 | ),
330 | array(
331 | 'key' => 'cfm_episode_website_active',
332 | 'compare' => 'NOT EXISTS',
333 | )
334 | )
335 | ),
336 | 'paged' => $paged,
337 | );
338 |
339 | if ( ! empty( $episode_ids ) ) {
340 | $get_episodes['post__in'] = $episode_ids;
341 | }
342 |
343 | $episodes = new WP_Query( $get_episodes );
344 |
345 | if ( $episodes->have_posts() ) {
346 |
347 | $cfm_general_settings = get_option( 'cfm_general_settings' );
348 | $season_episode_number_enable = isset( $cfm_general_settings['season_episode_number_enable'] ) ? $cfm_general_settin
349 |
350 | $layout_class = $a['layout'] == 'grid' ? 'cfm-episodes-grid' : 'cfm-episodes-list';
351 | $column_class = $a['layout'] == 'grid' ? ' cfm-episodes-cols-' . $a['columns'] : '';
352 |
353 | // output style if at least one color is set.
354 | if ( '' != $a['title_color'] || $a['title_hover_color'] || $a['link_text_color'] || $a['link_text_hover_color'] ) {
355 | $output .= '<style>';
356 | $output .= ( '' != $a['title_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-title a{color:' . sanitize_hex_col
357 | $output .= ( '' != $a['title_hover_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-title a:hover{color:' . sani
358 | $output .= ( '' != $a['link_text_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-link a {color:' . sanitize_hex
359 | $output .= ( '' != $a['link_text_hover_color'] ) ? '#cfm-episodes-' . $i . ' .cfm-episode-link a:hover{color:' . s
360 | $output .= '</style>';
361 | }
362 |
363 | while ( $episodes->have_posts() ) :
364 |
365 | $episodes->the_post();
366 | $post_id = get_the_ID();
367 | $episode_title = get_the_title();
368 | $featured_image_class = has_post_thumbnail( $post_id ) && ( $a['image'] == 'left' || $a['image'] == 'right' ) && $a
369 | $player = '<div class=""cfm-episode-player"">' . cfm_captivate_player( $post_id ) . '</div>';
370 |
371 | $cfm_show_id = get_post_meta( $post_id, 'cfm_show_id', true );
372 | $show_se_number_enable = cfm_get_show_info( $cfm_show_id, 'season_episode_number_enable' );
373 |
374 | // season and episode number.
375 | if ( 'show' == $a['se_num'] && '1' != $season_episode_number_enable && '1' != $show_se_number_enable ) {
376 | $episode_title = cfm_get_se_num_format( $post_id ) . get_the_title();
377 | }
378 |
379 | // title tag.
380 | $allowed_tags = array( 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'p');
381 | $title_tag = in_array( $a['title_tag'], $allowed_tags ) ? $a['title_tag'] : 'h2';
382 |
383 | $output .= '<div class=""cfm-episode-wrap' . $featured_image_class . '"">';
384 |
385 | // featured image left container start.
386 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'left' && $a['layout'] == 'list' )
387 | $output .= '<div class=""cfm-episode-image-left""><div class=""cfm-episode-image""><a href=""' . get_permalink() . '"">
388 |
389 | // featured image left container end, content right start.
390 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'left' && $a['layout'] == 'list' )
391 | $output .= '</div><div class=""cfm-episode-content-right"">';
392 |
393 | // content left start.
394 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'right' && $a['layout'] == 'list' )
395 | $output .= '<div class=""cfm-episode-content-left"">';
396 |
397 | // featured image above title.
398 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'above_title' )
399 | $output .= '<div class=""cfm-episode-image""><a href=""' . get_permalink() . '"">' . get_the_post_thumbnail( $post_id
400 |
401 | // title.
402 | if ( $a['title'] == 'show' )
403 | $output .= '<div class=""cfm-episode-title""><' . $title_tag . '><a href=""' . get_permalink() . '"">' . $episode_tit
404 |
405 | // featured image below title.
406 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'below_title' )
407 | $output .= '<div class=""cfm-episode-image""><a href=""' . get_permalink() . '"">' . get_the_post_thumbnail( $post_id
408 |
409 | // player above content.
410 | if ( $a['player'] == 'above_content' )
411 | $output .= $player;
412 |
413 | // content excerpt.
414 | if ( $a['content'] == 'excerpt' )
415 | $output .= '<div class=""cfm-episode-content"">' . wp_trim_words( get_the_excerpt(), $a['content_length'], '...' )
416 |
417 | // content full text.
418 | if ( $a['content'] == 'fulltext' )
419 | $output .= '<div class=""cfm-episode-content"">' . get_the_content() . '</div>';
420 |
421 | // player below content.
422 | if ( $a['player'] == 'below_content' )
423 | $output .= $player;
424 |
425 | // permalink.
426 | if ( $a['link'] == 'show' )
427 | $output .= '<div class=""cfm-episode-link""><a href=""' . get_permalink() . '"">' . esc_html( $a['link_text'] ) . '</
428 |
429 | // content right end.
430 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'left' && $a['layout'] == 'list' )
431 | $output .= '</div>';
432 |
433 | // content left end, featured image right container start.
434 | if ( has_post_thumbnail( $post_id ) && $a['image'] == 'right' && $a['layout'] == 'list' )
435 | $output .= '</div><div class=""cfm-episode-image-right""><div class=""cfm-episode-image""><a href=""' . get_permalink(
436 |
437 | $output .= '</div>';
438 |
439 | endwhile;
440 |
441 | wp_reset_postdata();
442 |
443 | }
444 | else {
445 | $output = 'no_more';
446 | }
447 |
448 | }
449 | else {
450 | $output = 'nothing_found';
451 | }
452 |
453 | }
454 |
455 | echo $output;
456 |
457 | wp_die();
458 |
459 | }
^ Col 0Our security policy
We have reserved the ID CVE-2025-31306 to refer to this issue from now on. Disclosure policy
System Information
Product: Captivate Sync
Version: 3.0.
Mitigation
There is currently no patch available for this vulnerability.
Timeline
IA generativa
14 mar 2025
Vendor contacted
14 mar 2025
Inicia tu prueba gratuita de 21 días
Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.
Inicia tu prueba gratuita de 21 días
Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.
Inicia tu prueba gratuita de 21 días
Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.
Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.
Objetivos
Recursos
SOC 2 Type II
SOC 3
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
© 2025 Fluid Attacks. We hack your software.
Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.
Objetivos
Recursos
SOC 2 Type II
SOC 3
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
© 2025 Fluid Attacks. We hack your software.
Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.
Objetivos
Recursos
SOC 2 Type II
SOC 3
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
© 2025 Fluid Attacks. We hack your software.