Ubuntu.comUB:CVE-2024-31211CVE-2024-31211
5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
7.5 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
WordPress is an open publishing platform for the Web. Unserialization of
instances of the WP_HTML_Token class allows for code execution via its
__destruct() magic method. This issue was fixed in WordPress 6.4.2 on
December 6th, 2023. Versions prior to 6.4.0 are not affected.
References
github.com/WordPress/wordpress-develop/security/advisories/GHSA-m257-q4m5-j653
launchpad.net/bugs/cve/CVE-2024-31211
nvd.nist.gov/vuln/detail/CVE-2024-31211
security-tracker.debian.org/tracker/CVE-2024-31211
wordpress.org/documentation/wordpress-version/version-6-4-2/#installation-update-information
www.cve.org/CVERecord?id=CVE-2024-31211
www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2/
Related
5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
7.5 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%