CVE-2024-13645Code Injection in Composer

CWE-94Code Injection3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
2.2%
top 15.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tagdiv Composer
Timeline
PublishedApr 4

Description

The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target syst

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

CVEListV5tagdiv/tagdiv_composer5.3

🔴Vulnerability Details

2
GHSA
GHSA-8mmw-qfv3-2mgw: The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 52025-04-04
CVEList
TagDiv Composer <= 5.3 - Unauthenticated Arbitrary PHP Object Instantiation2025-04-04
CVE-2024-13645 — Code Injection in Tagdiv Composer | cvebase