CVE-2024-23512: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2024-23512) was discovered in wpxpo ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks affecting versions through 3.1.4. The vulnerability was reported on January 30, 2024, and has received a Critical CVSS v3.1 base score of 9.8 from NVD and 8.7 from Patchstack (NVD, Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). It allows for PHP Object Injection, which could enable various attack vectors including code injection, SQL injection, path traversal, and denial of service if a proper POP chain is present. The vulnerability is particularly severe as it requires no authentication to exploit, with a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H according to NVD's assessment (NVD, Patchstack).

The vulnerability is considered highly dangerous and expected to become mass exploited. Due to its unauthenticated nature and the potential for code execution, successful exploitation could lead to complete system compromise, allowing attackers to execute arbitrary code, perform SQL injection, conduct path traversal attacks, or cause denial of service conditions (Patchstack).

The vulnerability has been fixed in version 3.1.5 of the plugin. Users are strongly advised to update to this version or later immediately. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).