CVE-2024-49624: 
WordPress vulnerability analysis and mitigation

The Advanced Advertising System WordPress plugin contains a Deserialization of Untrusted Data vulnerability (CVE-2024-49624) that allows Object Injection. This vulnerability affects versions up to and including 1.3.1 of the plugin. The vulnerability was discovered by researcher Mika and was publicly disclosed on October 18, 2024 (WPScan, Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to inject PHP Objects. While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to mitigate or resolve the vulnerability immediately (Patchstack).