CVE-2024-52432: 
WordPress vulnerability analysis and mitigation

The NIX Anti-Spam Light WordPress plugin contains a Deserialization of Untrusted Data vulnerability (CVE-2024-52432) that allows Object Injection. This vulnerability affects versions up to and including 0.0.4 of the plugin. The issue was discovered and publicly disclosed on November 15, 2024 (WPScan, Patchstack).

The vulnerability is classified as an Object Injection vulnerability (CWE-502) that occurs due to the deserialization of untrusted input. It has received a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code on the affected system (WPScan).

Currently, there is no official fix available for this vulnerability. As the software appears to be abandoned (last updated over a year ago), users are strongly advised to remove and replace the plugin with an alternative solution. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).