CVE-2024-13410: 
WordPress vulnerability analysis and mitigation

The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in versions up to and including 1.7.0 and 3.9.0 respectively. The vulnerability was discovered and disclosed on March 19, 2025, and is tracked as CVE-2024-13410. The issue affects the 'ajax_handler' function in both plugins, which allows unauthenticated attackers to inject PHP Objects through deserialization of untrusted input (NVD).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue stems from improper handling of deserialization operations in the 'ajax_handler' function. Notably, while the vulnerability allows for PHP Object injection, there is no known POP (Property-Oriented Programming) chain present in the vulnerable software itself (NVD).

The vulnerability's impact is contingent on the presence of additional plugins or themes containing a POP chain. If such a chain exists, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code on the target system. Without a POP chain present, the vulnerability has no direct impact (NVD).

The vulnerability has been patched in version 1.7.1 of CozyStay and version 3.10.0 of TinySalt. Users are advised to update to these versions or later to address the security issue (ThemeForest CozyStay, ThemeForest TinySalt).