CVE-2024-33553: 
WordPress vulnerability analysis and mitigation

A critical PHP Object Injection vulnerability (CVE-2024-33553) was discovered in 8theme's XStore Core WordPress plugin, affecting versions up to 5.3.5. The vulnerability allows unauthenticated attackers to perform deserialization of untrusted data, posing a significant security risk to WordPress installations using this plugin (Patchstack, WPScan).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a critical CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue allows unauthenticated users to pass serialized strings to a vulnerable unserialize call, resulting in arbitrary PHP object injection. While no POP chain is present in the vulnerable plugin itself, the presence of a POP chain via additional plugins or themes could enable more severe exploitation (WPScan, Security Online).

If successfully exploited, this vulnerability could allow attackers to delete arbitrary files, retrieve sensitive data, or potentially execute arbitrary code on the affected system when combined with appropriate POP chains. The unauthenticated nature of the vulnerability makes it particularly dangerous as it requires no user authentication to exploit (WPScan).

The vulnerability has been patched in XStore Core plugin version 5.3.9. Website administrators are strongly advised to update to this version immediately to protect their installations. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).