CVE-2024-23513: 
WordPress vulnerability analysis and mitigation

The CVE-2024-23513 is a Deserialization of Untrusted Data vulnerability affecting the PropertyHive WordPress plugin versions up to and including 2.0.5. The vulnerability was discovered by Yudistira Arya and publicly disclosed on January 30, 2024. The issue specifically involves PHP Object Injection via the 'propertyhive_currency' cookie value, which can be exploited by unauthenticated attackers (WPScan, Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received multiple CVSS severity ratings. The NVD assigned a CVSS v3.1 base score of 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 8.7 (High) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability allows for the deserialization of untrusted input from the 'propertyhive_currency' cookie value (WPScan).

While no direct POP (Property-Oriented Programming) chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute malicious code on the affected system (WPScan).

The vulnerability has been patched in PropertyHive version 2.0.6. Site administrators are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).