CVE-2024-13742

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Jan 30, 2025

CWE ID 502

Summary

CVE-2024-13742: The WordPress plugin iControlWP, used in versions up to 4.4.5, contains a vulnerability that allows unauthenticated attackers to inject PHP Objects through deserialization of untrusted input from the reqpars parameter. No pop chain is present in the vulnerable software, so the impact is minimal unless another plugin or theme with a pop chain is installed on the site. In such cases, an attacker could delete arbitrary files, retrieve sensitive data, or execute code depending on the specific pop chain present.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

WordPress

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/21sQ0Y
https://www.cve.org/CVERecord?id=CVE-2024-13742
https://nvd.nist.gov/vuln/detail/CVE-2024-13742

Back to Vulnerability Database

CVE-2024-13742

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Affected Vendors

Advisories, Assessments, and Mitigations