CVE-2024-7435: 
WordPress vulnerability analysis and mitigation

The Attire theme for WordPress contains a PHP Object Injection vulnerability (CVE-2024-7435) affecting all versions up to and including 2.0.6. The vulnerability was disclosed on August 30, 2024, and allows authenticated attackers with Contributor-level access or higher to perform PHP Object Injection through deserialization of untrusted input (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-502 (Deserialization of Untrusted Data). While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, the presence of additional plugins or themes could provide an exploitation chain (NVD).

If successfully exploited in conjunction with a POP chain from additional installed plugins or themes, this vulnerability could enable attackers to delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the affected system (NVD).

Users should upgrade to Attire theme version 2.0.7 or later which contains the fix for this vulnerability (WordPress Themes).