CVE-2024-0668 Advanced Database Cleaner <= 3.1.3 - Authenticated(Administrator+) PHP Object Injection via process_bulk_action

🗓️ 05 Feb 2024 21:22:03Reported by WordfenceType

Vulnerability in Advanced Database Cleaner plugin for WordPress. CVE-2024-0668. PHP Object Injection via untrusted input deserialization, allowing authenticated attackers to inject PHP Objects. No present POP chain but potential risk with additional plugins or themes.

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2024-0668	18 Feb 202407:36	–	circl
CNNVD	WordPress plugin Advanced Database Cleaner security vulnerability	5 Feb 202400:00	–	cnnvd
CVE	CVE-2024-0668	5 Feb 202421:22	–	cve
EUVD	EUVD-2024-16460	3 Oct 202520:07	–	euvd
NVD	CVE-2024-0668	5 Feb 202422:16	–	nvd
OpenVAS	WordPress Advanced Database Cleaner Plugin < 3.1.4 PHP Object Injection Vulnerability	20 Feb 202500:00	–	openvas
OSV	CVE-2024-0668	5 Feb 202422:16	–	osv
Patchstack	WordPress Advanced Database Cleaner Plugin <= 3.1.3 is vulnerable to PHP Object Injection	6 Feb 202400:00	–	patchstack
Prion	Deserialization of untrusted data	5 Feb 202422:16	–	prion
Positive Technologies	PT-2024-15733 · WordPress · Advanced Database Cleaner	5 Feb 202400:00	–	ptsecurity

[
  {
    "vendor": "symptote",
    "product": "Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "3.1.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/changeset/3025980/
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/e0b8c24b-3e51-4637-9d8e-da065077d082
plugins	www.plugins.trac.wordpress.org/browser/advanced-database-cleaner/tags/3.1.3/includes/class_clean_cron.php
plugins	www.plugins.trac.wordpress.org/browser/advanced-database-cleaner/tags/3.1.3/includes/class_clean_cron.php

08 Apr 2026 17:28Current

7.3High risk

Vulners AI Score7.3

CVSS 3.16.6

EPSS0.00533

CWE-502