CVE-2023-52218: 
WordPress vulnerability analysis and mitigation

The Woocommerce Tranzila Payment Gateway plugin for WordPress contains a Deserialization of Untrusted Data vulnerability (CVE-2023-52218) affecting all versions up to and including 1.0.8. The vulnerability was discovered by Rafie Muhammad and was publicly disclosed on January 5, 2024 (Patchstack, WPScan).

The vulnerability is classified as a PHP Object Injection vulnerability (CWE-502) that occurs through the deserialization of untrusted input. It has received a Critical CVSS v3.1 score of 9.8 from NIST (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and a score of 10.0 from Patchstack (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability can be exploited without authentication, making it particularly severe (NVD).

While no POP chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute malicious code. The vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement mitigation measures immediately (Patchstack).