CVE-2024-13410
Published: 19 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13410 is a PHP Object Injection vulnerability affecting the CozyStay and TinySalt plugins for WordPress. It arises from deserialization of untrusted input in the ajax_handler function, impacting all versions up to and including 1.7.0 for CozyStay and 3.9.0 for TinySalt. This flaw, classified under CWE-502 (Deserialization of Untrusted Data), carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility and low complexity.
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. They can inject a PHP Object via the vulnerable endpoint, but the vulnerability has no direct impact because no known Property-Oriented Programming (POP) chain exists within the affected plugins. Exploitation requires a separate plugin or theme on the target site that provides a POP chain, potentially enabling actions such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code, depending on the chain's capabilities.
Advisories and changelogs from ThemeForest for both plugins, along with the Wordfence threat intelligence report, provide details on mitigation. Security practitioners should update CozyStay and TinySalt to versions beyond 1.7.0 and 3.9.0, respectively, where the deserialization issue has been addressed, as indicated in the referenced changelogs.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated deserialization vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190). Potential impacts like code execution or data access require an external POP chain but do not change the core exploitation technique.