CVE-2024-29136: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability was discovered in Themefic's Tourfic WordPress plugin, affecting versions up to 2.11.17. The vulnerability was reported on January 30, 2024, and publicly disclosed on March 18, 2024. This security issue has been assigned CVE-2024-29136 and received a high severity CVSS score of 8.8 (NVD).

The vulnerability is classified as a PHP Object Injection issue (CWE-502). It received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H from NVD, while Patchstack assigned a score of 8.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (Patchstack).

The PHP Object Injection vulnerability could potentially allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The high severity score indicates significant potential impact on the affected systems (Patchstack).

Users are advised to update to version 2.11.19 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).