CVE-2024-13786
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-07-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the education theme for WordPress up to version 3.6.10. It is a PHP Object Injection vulnerability caused by deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This allows unauthenticated attackers to inject PHP objects. However, the vulnerability alone has no impact unless another plugin or theme with a POP (Property Oriented Programming) chain is installed, which could then enable malicious actions.
How can this vulnerability impact me? :
If a POP chain is present via an additional plugin or theme on the target system, an attacker could exploit this vulnerability to delete arbitrary files, retrieve sensitive data, or execute code on the affected site. Without such a POP chain, the vulnerability has no impact.