CVE-2024-31211

MEDIUM

Wordpress < 6.4.2 - Insecure Deserialization

Title source: rule

Description

WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

Exploits (1)

nomisec WORKING POC

by Abdurahmon3236 · poc

https://github.com/Abdurahmon3236/-CVE-2024-31211

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m257-q4m5-j653

Scores

CVSS v3 5.5

EPSS 0.3971

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (1)

wordpress/wordpress 6.4.0 - 6.4.2

Published Apr 04, 2024

Tracked Since Feb 18, 2026