CVE-2024-49688

Critical

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0047 64.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Deserialization of Untrusted Data vulnerability in reputeinfosystems ARPrice arprice allows Object Injection.This issue affects ARPrice: from n/a through <= 4.1.3.

Security Summary

CVE-2024-49688 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ARPrice WordPress plugin developed by reputeinfosystems. The flaw enables Object Injection and affects all versions of ARPrice from unknown initial versions through 4.1.3.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability.

The Patchstack advisory documents this as an unauthenticated PHP Object Injection vulnerability specifically in ARPrice plugin version 4.0.3, with details available in their WordPress plugin vulnerability database.

Details

CWE(s): CWE-502

References

https://patchstack.com/database/Wordpress/Plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-unauthenticated-php-object-injection-vulnerability?_s_id=cve
audit@patchstack.com