CVE-2024-24797: 
WordPress vulnerability analysis and mitigation

A critical Deserialization of Untrusted Data vulnerability (CVE-2024-24797) was discovered in G5Theme ERE Recently Viewed – Essential Real Estate Add-On WordPress plugin affecting versions through 1.3. The vulnerability was reported on December 25, 2023, and publicly disclosed on January 31, 2024 (Patchstack).

The vulnerability is classified as a PHP Object Injection vulnerability (CWE-502) that occurs through deserialization of untrusted input. It received a Critical CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity across confidentiality, integrity, and availability impacts (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to inject PHP Objects. If a POP chain is present via additional plugins or themes on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the affected system (WPScan).

Users are strongly advised to update to version 2.0 or later of the ERE Recently Viewed plugin, which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).