CVE-2024-13787

CVE-2024-13787 is a PHP Object Injection vulnerability (CWE-502) affecting the VEDA - MultiPurpose WordPress Theme for WordPress in all versions up to and including 4.2. The flaw stems from deserialization of untrusted input within the 'veda_backup_and_restore_action' function, enabling the injection of a PHP Object. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to inject a PHP Object. While no known PHP Object Injection (POP) chain exists in the vulnerable theme itself—meaning it has no direct impact unless another plugin or theme providing a POP chain is installed—the presence of such a chain could allow attackers to delete arbitrary files, retrieve sensitive data, or execute arbitrary code, depending on the chain's capabilities.

Advisories and additional details are available via references including the theme's page on ThemeForest (https://themeforest.net/item/veda-multipurpose-theme/15860489) and Wordfence's threat intelligence report (https://www.wordfence.com/threat-intel/vulnerabilities/id/d0966138-b28b-4c03-a2cf-b51c5f478276?source=cve). Practitioners should consult these for any patch information or mitigation guidance specific to the theme.