CVE-2024-13742: 
WordPress vulnerability analysis and mitigation

The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection (CVE-2024-13742) in versions up to and including 4.4.5. The vulnerability stems from the deserialization of untrusted input from the reqpars parameter, allowing unauthenticated attackers to inject PHP Objects (Wordfence Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-502 (Deserialization of Untrusted Data). The vulnerability exists in the plugin's handling of the reqpars parameter, where untrusted input is deserialized without proper validation (NVD).

While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, the impact could be severe if another plugin or theme containing a POP chain is installed on the site. In such cases, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code depending on the available POP chain (NVD).

Users should update to a version newer than 4.4.5 if available, or consider removing the plugin if it's not actively needed. If removal is not possible, implementing additional security controls and monitoring for suspicious activities is recommended (NVD).