CVE-2024-0668: 
WordPress vulnerability analysis and mitigation

The Advanced Database Cleaner WordPress plugin (versions up to 3.1.3) contains a PHP Object Injection vulnerability (CVE-2024-0668) through the 'process_bulk_action' function. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on February 5, 2024 (Wordfence Advisory).

The vulnerability stems from the improper handling of deserialization of untrusted input in the 'process_bulk_action' function. The issue has been assigned a CVSS v3.1 base score of 7.2 (HIGH) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Wordfence assigned a score of 6.6 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) (NVD).

While no direct POP (Property Oriented Programming) chain exists in the vulnerable plugin itself, if a POP chain is present through additional plugins or themes installed on the target system, an attacker could potentially delete arbitrary files, retrieve sensitive data, or execute code on the affected system (NVD).

A patch has been released to address this vulnerability. Website administrators should update the Advanced Database Cleaner plugin to a version newer than 3.1.3. The fix can be found in the WordPress plugin repository (WordPress Patch).