Deserialization of Untrusted Data Vulnerability in ARPrice Plugin by NotFound
CVE-2024-49699

8.8HIGH

Key Information:

Vendor: WordPress
Status: Arprice
Vendor: CVE Published:; 21 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability affecting the ARPrice plugin, developed by NotFound, allows for Object Injection due to deserialization of untrusted data. This can potentially lead to unauthorized access or manipulation of critical application objects. Versions impacted by this security flaw include ARPrice up to 4.0.3. It is essential for users of affected versions to apply the latest updates to mitigate the risk posed by this vulnerability and ensure the security of their WordPress installations.

Affected Version(s)

ARPrice <= 4.0.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-49699
Created by RandomRobbieBF

References

https://patchstack.com/database/wordpress/plugin/arprice/...

vdb-entry

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 21, 2025
🟡
Public PoC available
Jan 11, 2025
👾
Exploit known to exist
Jan 11, 2025
Vulnerability Reserved
Oct 17, 2024

Credit

Bonds (Patchstack Alliance)