CVE-2024-13556

CVE-2024-13556 is a PHP Object Injection vulnerability affecting the Affiliate Links: WordPress Plugin for Link Cloaking and Link Management in all versions up to and including 3.0.1. The issue arises from deserialization of untrusted input via a file export feature, enabling attackers to inject a PHP Object. It is associated with CWE-862 (Missing Authorization) and CWE-502 (Deserialization of Untrusted Data), with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability over the network with high attack complexity and no user interaction required. While the injection itself is possible, the vulnerable plugin contains no known Property-Oriented Programming (POP) chain, limiting impact unless another plugin or theme on the site provides one. In such cases, exploitation could allow arbitrary file deletion, sensitive data retrieval, or code execution, depending on the available POP chain.

Mitigation details are available in advisories from Wordfence and the WordPress plugin trac repository, including changeset 3238736 for the affiliate-links plugin, which addresses the deserialization issue. Security practitioners should update the plugin beyond version 3.0.1 and review co-installed plugins or themes for potential POP chains.