CVE-2024-13645: 
WordPress vulnerability analysis and mitigation

The tagDiv Composer plugin for WordPress contains a PHP Object Instantiation vulnerability (CVE-2024-13645) affecting all versions up to and including 5.3. The vulnerability was discovered and disclosed on April 4, 2025, and affects the plugin's module parameter functionality. This security issue allows unauthenticated attackers to instantiate PHP objects (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-94 (Improper Control of Generation of Code). The vulnerability specifically affects the module parameter in the tagDiv Composer plugin, allowing unauthorized PHP object instantiation (NVD, Wordfence).

While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, the impact could be severe if another plugin or theme containing a POP chain is installed on the site. In such cases, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code, depending on the POP chain present (NVD).

Users should update the tagDiv Composer plugin to a version newer than 5.3 when available. As this is a recently disclosed vulnerability, users should monitor the official tagDiv website and WordPress plugin repository for security updates (TagDiv).