CVE-2024-52443: 
WordPress vulnerability analysis and mitigation

A PHP Object Injection vulnerability has been identified in the WordPress Geolocator plugin versions up to 1.1. The vulnerability was discovered by LVT-tholv2k and published on November 18, 2024, with CVE identifier CVE-2024-52443. This security flaw affects the Geolocator plugin developed by Nerijus Masikonis, which appears to be abandoned as it hasn't received updates in over a year (Patchstack).

The vulnerability is classified as a Deserialization of Untrusted Data issue that allows Object Injection. It has received a Critical CVSS v3.1 base score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating the highest severity level. The vulnerability can be exploited without requiring authentication, making it particularly dangerous (Patchstack).

The PHP Object Injection vulnerability could potentially allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. Given the critical CVSS score and the unauthenticated nature of the exploit, this vulnerability is expected to become mass exploited (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Given that the software appears to be abandoned, users are strongly advised to remove and replace the plugin with an alternative solution. Note that merely deactivating the plugin does not remove the security threat unless a virtual patch is deployed (Patchstack).