CVE-2023-6049: 
WordPress vulnerability analysis and mitigation

The Estatik Real Estate Plugin for WordPress (versions before 4.1.1) contains a critical security vulnerability identified as CVE-2023-6049. The vulnerability was discovered by Krzysztof Zając from CERT PL and publicly disclosed on December 25, 2023. This security flaw involves unsafe deserialization of user input via cookies, which affects the plugin's core functionality (WPScan).

The vulnerability is classified as a PHP Object Injection flaw (CWE-502) with a CVSS v3.1 base score of 9.8 (Critical). The issue stems from the plugin's improper handling of cookie data, specifically unserialized user input, which can lead to PHP Object Injection when a suitable gadget chain is present. This vulnerability aligns with OWASP Top 10 category A8: Insecure Deserialization (NVD, WPScan).

The vulnerability allows unauthenticated users to perform PHP Object Injection attacks, which could potentially lead to remote code execution if a suitable gadget chain is present in the target environment. This presents a significant security risk as it requires no authentication and can be exploited remotely (WPScan).

The vulnerability has been patched in version 4.1.1 of the Estatik Real Estate Plugin. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).