Unauthenticated attackers can exploit REST API routes and Object Injection vulnerability to compromise WordPress sites
CVE-2024-5488

Currently unrated

Key Information:

Vendor: Wordpress
Status: Seopress
Vendor: CVE Published:; 9 July 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.

Affected Version(s)

SEOPress 0 < 7.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-5488 - Proof of Concept

References

https://wpscan.com/vulnerability/28507376-ded0-4e1a-b2fc-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Jul 9, 2024
👾
Exploit known to exist
Jul 9, 2024
Vulnerability published
Jul 9, 2024
Vulnerability Reserved
May 29, 2024

Credit

Marc Montpas

WPScan