CVE-2024-25100: 
WordPress vulnerability analysis and mitigation

CVE-2024-25100 is a Deserialization of Untrusted Data vulnerability affecting WP Swings Coupon Referral Program WordPress plugin versions up to and including 1.7.2. The vulnerability was discovered and reported by Dave Jong from Patchstack on November 30, 2023, and was publicly disclosed on February 5, 2024 (Patchstack Advisory).

The vulnerability is classified as a PHP Object Injection issue (CWE-502) with a Critical severity rating. It has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H according to NVD, while Patchstack assigned it a CVSS score of 10.0 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability could allow an unauthenticated attacker to execute code injection, SQL injection, path traversal, and denial of service attacks if a proper POP chain is present. The high CVSS score indicates that this vulnerability is highly dangerous and expected to become mass exploited (Patchstack Advisory).

Currently, there is no official fix available from the vendor. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Users are advised to implement the virtual patch immediately or consider removing the plugin until a security update is released (Patchstack Advisory).