CVE-2024-31211

2024-04-0423:15:16

CWE-502

[email protected]

web.nvd.nist.gov

wordpress

open publishing

vulnerability

unserialization

code execution

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

WordPress is an open publishing platform for the Web. Unserialization of instances of the WP_HTML_Token class allows for code execution via its __destruct() magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

Affected configurations

Vulners

Node

wordpresswordpressRange6.4.0≥

VendorProductVersionCPE
wordpresswordpress*cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wordpress	wordpress	*	cpe:2.3:a:wordpress:wordpress::::::::

CNA Affected

[
  {
    "vendor": "WordPress",
    "product": "wordpress-develop",
    "versions": [
      {
        "version": ">= 6.4.0 < 6.4.2",
        "status": "affected"
      }
    ]
  }
]