Skip to main content

Coupon Referral Program CVE-2024-25100

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2024-02-12 audit@patchstack.com
Deserialization
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program coupon-referral-program allows Object Injection.This issue affects Coupon Referral Program: from n/a through < 1.8.4.

AnalysisAI

Unauthenticated PHP object injection in the WP Swings Coupon Referral Program plugin for WordPress (versions up to and including 1.8.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes, leading to full compromise with changed scope (CVSS 10.0). No public exploit has been identified at time of analysis, and EPSS sits at 0.83% (75th percentile) - moderate exploitation likelihood despite the maximum severity score. The vulnerability is not currently listed in CISA KEV.

Technical ContextAI

The affected component is the WP Swings Coupon Referral Program plugin (CPE cpe:2.3:a:wpswings:coupon_referral_program), a WordPress e-commerce add-on that integrates with WooCommerce to manage referral coupons. The root cause is CWE-502 (Deserialization of Untrusted Data), a class of bug in which attacker-controlled input reaches PHP's unserialize() function or an equivalent routine. In WordPress plugin contexts, this typically results in PHP Object Injection, where the attacker constructs a serialized object that, when reconstituted, triggers magic methods (__wakeup, __destruct, __toString) on classes loaded into the runtime. When suitable POP (Property-Oriented Programming) gadget chains exist in WordPress core, WooCommerce, or other active plugins, the injection escalates to arbitrary file read/write, SQL execution, or remote code execution.

RemediationAI

Upgrade the Coupon Referral Program plugin to a version newer than 1.8.4 - a vendor-released fixed version is referenced by the advisory but the exact patched build number is not independently confirmed from the supplied data, so administrators should consult the Patchstack advisory and the WP Swings plugin changelog to identify the current patched release before upgrading. If immediate patching is not possible, deactivate and remove the plugin until it can be upgraded; this fully eliminates exposure but breaks any referral-coupon functionality and any shortcodes embedded in pages. As a compensating control short of removal, restrict access to the plugin's AJAX and REST endpoints at the web server or WAF layer (block or require authentication for requests to admin-ajax.php actions associated with the plugin, and to its registered REST routes), accepting that legitimate referral users will also be blocked. Generic WAF rules detecting serialized PHP payloads (strings beginning with O:, a:, or s: in request bodies) provide partial mitigation but are easily bypassed and can break unrelated functionality.

Share

CVE-2024-25100 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy