Unauthenticated Users Can Perform PHP Object Injection via Geo Controller Plugin
CVE-2024-3591

Currently unrated

Key Information:

Vendor: Wordpress
Status: Geo Controller
Vendor: CVE Published:; 1 May 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Affected Version(s)

Geo Controller 0 < 8.6.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3591 - Proof of Concept

References

https://wpscan.com/vulnerability/f85d8b61-eaeb-433c-b857-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
May 1, 2024
👾
Exploit known to exist
May 1, 2024
Vulnerability published
May 1, 2024
Vulnerability Reserved
Apr 10, 2024

Credit

fuyoumingyan

WPScan