CVE-2024-56283

High

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0070 72.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Deserialization of Untrusted Data vulnerability in plainware Locatoraid Store Locator locatoraid allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.50.

Security Summary

CVE-2024-56283 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the plainware Locatoraid Store Locator WordPress plugin, enabling Object Injection. The issue affects all versions of the plugin from n/a through 3.9.50 and was published on 2025-01-07.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Remote, unauthenticated attackers can exploit it over the network without requiring user interaction, although high attack complexity is needed. Exploitation could result in high impacts to confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this WordPress plugin vulnerability at https://patchstack.com/database/Wordpress/Plugin/locatoraid/vulnerability/wordpress-locatoraid-store-locator-plugin-3-9-50-php-object-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-502

References

https://patchstack.com/database/Wordpress/Plugin/locatoraid/vulnerability/wordpress-locatoraid-store-locator-plugin-3-9-50-php-object-injection-vulnerability?_s_id=cve
audit@patchstack.com