CVE-2024-10936
Published: 21 January 2025
Description
The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.
Security Summary
CVE-2024-10936 is a PHP Object Injection vulnerability (CWE-502) in the String Locator plugin for WordPress, affecting all versions up to and including 2.6.6. The flaw stems from deserialization of untrusted input within the 'recursive_unserialize_replace' function, which enables attackers to inject a PHP Object.
Unauthenticated attackers can exploit the vulnerability over the network with low complexity and no privileges required, though it necessitates user interaction in the form of an administrator performing a search and replace action to trigger deserialization. While no known Proof-of-Pop (POP) chain exists in the vulnerable plugin, a POP chain introduced via additional plugins or themes on the target system could enable arbitrary file deletion, sensitive data retrieval, or code execution. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Mitigation guidance from advisories points to updating the plugin, as indicated by changeset 3222952 in the WordPress plugins trac, which addresses the deserialization issue in the class-sql.php file around line 170. Further details on the vulnerability and remediation are available in the Wordfence threat intelligence report.
Details
- CWE(s)