CVE-2024-13824

CVE-2024-13824 is a PHP Object Injection vulnerability (CWE-502) affecting the CiyaShop - Multipurpose WooCommerce Theme for WordPress in all versions up to and including 4.19.0. The issue arises from deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions, enabling unauthenticated attackers to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely by supplying malicious input to the affected functions. While no known Property-Oriented Programming (POP) chain exists within the vulnerable theme itself, making it non-exploitable in isolation, the presence of a POP chain from another installed plugin or theme could enable severe impacts. Depending on the chain, attackers might delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the target system.

Advisories from Wordfence and the theme's changelog on ThemeForest provide further details on mitigation. Security practitioners should review these sources—specifically https://www.wordfence.com/threat-intel/vulnerabilities/id/b69c86f4-d81d-4e14-baff-3402008bb9c6?source=cve and https://themeforest.net/item/ciyashop-responsive-multipurpose-woocommerce-wordpress-theme/22055376#item-description__changelog—for patch information, recommending updates to versions beyond 4.19.0 where the deserialization flaw is addressed.