Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-5488

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
71.0%
top 1.30%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown SeopressSeopress Seopress
Timeline
PublishedJul 9

Description

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5unknown/seopress< 7.9

🔴Vulnerability Details

2
CVEList
SEOPress < 7.9 - Unauthenticated Object Injection2024-07-09
GHSA
GHSA-wh6w-2qc6-mq3c: The SEOPress WordPress plugin before 72024-07-09

💥Exploits & PoCs

1
Nuclei
SEOPress < 7.9 - Authentication Bypass
CVE-2024-5488 (CRITICAL CVSS 9.8) | The SEOPress WordPress plugin befor | cvebase.io