CVE-2024-56058

CRITICAL

Gueststream VRPConnector <2.0.1 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-56058. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated PHP Object Injection vulnerability in VRPConnector <= 2.0.1 via deserialization of untrusted input in the 'vrpFavorites' cookie. While no POP chain is present in the vulnerable software, exploitation could lead to arbitrary file deletion, sensitive data retrieval, or code execution if a suitable POP chain exists in other plugins/themes.

Description

Deserialization of Untrusted Data vulnerability in denniskravetstns VRPConnector vrpconnector allows Object Injection.This issue affects VRPConnector: from n/a through <= 2.0.1.

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2024-56058

View Code ZIP pw:eip

This PoC demonstrates an unauthenticated PHP Object Injection vulnerability in VRPConnector <= 2.0.1 via deserialization of untrusted input in the 'vrpFavorites' cookie. While no POP chain is present in the vulnerable software, exploitation could lead to arbitrary file deletion, sensitive data retrieval, or code execution if a suitable POP chain exists in other plugins/themes.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: VRPConnector WordPress plugin <= 2.0.1

No auth needed

Prerequisites: Target must have VRPConnector <= 2.0.1 installed · A suitable POP chain must exist in the target environment for exploitation

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/vrpconnector/vulnerability/wordpress-vrpconnector-plugin-2-0-1-php-object-injection-vulnerability?_s_id=cve

Third Party Advisory

https://patchstack.com/database/wordpress/plugin/vrpconnector/vulnerability/wordpress-vrpconnector-plugin-2-0-1-php-object-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.8

EPSS 0.0163

EPSS Percentile 73.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

denniskravetstns/VRPConnector < 2.0.1

Gueststream/VRPConnector < 2.0.1

Published Dec 18, 2024

Tracked Since Feb 18, 2026