CVE-2026-24385
Awaiting Analysis Awaiting Analysis - Queue
Deserialization Object Injection in Podlove Web Player

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24385
EUVD
EUVD-2026-9600
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
podlove podlove_web_player to 5.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-24385 is a PHP Object Injection vulnerability in the Podlove Web Player WordPress plugin versions up to and including 5.9.1.

This vulnerability allows an attacker who has at least Contributor or Developer privileges to inject malicious PHP objects into the application.

Exploiting this flaw can lead to various attacks such as code injection, SQL injection, path traversal, denial of service, and other malicious actions if a suitable Property Oriented Programming (POP) chain is available.

The vulnerability falls under the OWASP Top 10 category A3: Injection.

Impact Analysis

If exploited, this vulnerability can allow attackers with Contributor or Developer privileges to perform unauthorized actions such as executing arbitrary code, manipulating the database via SQL injection, accessing or modifying files through path traversal, or causing denial of service.

These impacts can compromise the security, integrity, and availability of the affected system.

Users of the Podlove Web Player plugin versions 5.9.1 and earlier are at risk until they update to version 5.9.2 or later.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects the Podlove Web Player Plugin versions up to and including 5.9.1. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.'}, {'type': 'paragraph', 'content': 'You can check the installed plugin version by accessing your WordPress admin dashboard or by running commands on your server to inspect the plugin files.'}, {'type': 'list_item', 'content': 'Use WP-CLI to check the plugin version: wp plugin list | grep podlove-web-player'}, {'type': 'list_item', 'content': "Manually check the plugin version in the plugin's main PHP file, usually located at wp-content/plugins/podlove-web-player/podlove-web-player.php, by looking for the Version header."}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs or network traffic for suspicious activity related to PHP Object Injection attempts may help detect exploitation attempts, but no specific detection commands are provided.'}] [1]

Mitigation Strategies

The primary and most effective mitigation step is to update the Podlove Web Player Plugin to version 5.9.2 or later, where this vulnerability has been patched.

Until the update can be applied, you can use mitigation rules provided by Patchstack that block exploitation attempts.

Restrict user privileges to prevent untrusted users from having Contributor or Developer roles, as the vulnerability requires at least these privileges to be exploited.

Enable auto-update features for plugins if available to ensure timely patching of vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart