CVE-2024-43242: 
WordPress vulnerability analysis and mitigation

A critical Deserialization of Untrusted Data vulnerability (CVE-2024-43242) was discovered in the Ultimate Membership Pro WordPress plugin, affecting versions up to 12.6. The vulnerability allows unauthenticated PHP Object Injection, posing a significant security risk to approximately 40,000 websites using this premium plugin (Security Online, Patchstack).

The vulnerability stems from inadequate sanitization of user input before it passes through the deserialization process. The issue received a CVSS v3.1 base score of 10.0 (Critical) from NIST and 9.0 (Critical) from Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The flaw is classified as CWE-502 (Deserialization of Untrusted Data) and affects multiple functions in the plugin, including ihcajaxstripeconnectgeneratepaymentintent and checkCookies (NVD, WPScan).

The vulnerability allows unauthenticated attackers to inject malicious PHP objects into the application scope. While no known POP chain is present in the vulnerable software itself, if a POP chain exists via additional plugins or themes, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the affected system (WPScan, Security Online).

Website administrators are strongly advised to update to Ultimate Membership Pro version 12.8 or later, which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to a fixed version (Patchstack).