CVE-2024-22284: 
WordPress vulnerability analysis and mitigation

The Asgaros Forum WordPress plugin contains a Deserialization of Untrusted Data vulnerability (CVE-2024-22284) affecting versions up to 2.7.2. This critical vulnerability was discovered by Le Ngoc Anh and publicly disclosed on January 16, 2024. The issue resides in the prepare_unread_status function, allowing unauthenticated attackers to perform PHP Object Injection (Patchstack, WPScan).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a score of 8.7 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability specifically involves the prepare_unread_status function which improperly handles deserialization of untrusted input (NVD).

If successfully exploited, this vulnerability could allow attackers to inject PHP Objects. When combined with a suitable POP chain present in additional plugins or themes on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the affected system (WPScan).

The vulnerability has been patched in version 2.8.0 of the Asgaros Forum plugin. Users are strongly advised to update to this version or later to resolve the security issue (Patchstack).