- Description
- The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@wordfence.com
- CWE-502
- Hype score
- Not currently trending
CVE-2024-10936 PHP Object Injection Vulnerability in WordPress String Locator Pl... https://t.co/KZjFpEYFs7 Vulnerability Alert Subscriptions: https://t.co/hrQhy5uz4x
@VulmonFeeds
21 Jan 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-10936 The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in th… https://t.co/nXcat7bFKh
@CVEnew
21 Jan 2025
436 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-10936: HIGH] WordPress String locator plugin up to version 2.6.6 is vulnerable to PHP Object Injection, allowing attackers to inject malicious code. Admin action needed for exploit.#cybersecurity,#vulnerability https://t.co/1N6UN6Ftvi https://t.co/KakyNEF2Js
@CveFindCom
21 Jan 2025
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2024-10936 | String Locator Plugin up to 2.6.6 on WordPress code injection) has been published on https://t.co/41UkG6u7p8
@WolfgangSesin
20 Jan 2025
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2024-10936 | String Locator Plugin up to 2.6.6 on WordPress code injection) has been published on https://t.co/B43T69HYak
@WolfgangSesin
20 Jan 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:string_locator:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "58A24F54-7A13-4982-8348-D43313BFCF6B",
"versionEndExcluding": "2.6.7"
}
],
"operator": "OR"
}
]
}
]