CVE-2024-3240: 
WordPress vulnerability analysis and mitigation

The ConvertPlug WordPress plugin (versions up to 3.5.25) contains a PHP Object Injection vulnerability (CVE-2024-3240) discovered in May 2024. The vulnerability exists in the 'settingsencoded' attribute of the 'smileinfo_bar' shortcode, allowing authenticated attackers with contributor-level access or higher to inject PHP Objects (NVD).

The vulnerability is related to the deserialization of untrusted input from the 'settingsencoded' attribute in the 'smileinfo_bar' shortcode. While no POP (Property Oriented Programming) chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes on the target system, it could be exploited. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow attackers to delete arbitrary files, retrieve sensitive data, or execute code on the target system when combined with a POP chain from other installed components (NVD).

The vulnerability has been patched in version 3.5.26 of the ConvertPlug plugin. Users are strongly advised to update to this version or later to protect their systems (ConvertPlug Archives).