CVE-2024-49699

CVE-2024-49699 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ARPrice WordPress plugin developed by reputeinfosystems, enabling PHP Object Injection. The issue affects all versions of ARPrice up to and including 4.1.3, allowing attackers to process untrusted data through unsafe deserialization mechanisms within the plugin.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity and low privileges, such as an authenticated low-level WordPress user like a subscriber, without requiring user interaction. Successful exploitation can result in high-impact confidentiality, integrity, and availability violations, potentially allowing attackers to execute arbitrary code, steal data, modify content, or disrupt services on the targeted WordPress site.

Patchstack has published an advisory detailing the vulnerability, specifically referencing the object injection flaw in ARPrice version 4.0.3 and earlier, available at https://patchstack.com/database/Wordpress/Plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-php-object-injection-vulnerability?_s_id=cve. Practitioners should update to a patched version beyond 4.1.3 if available and review access controls for plugin endpoints.