Skip to main content

Lis Video Gallery CVE-2024-52430

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2024-11-18 audit@patchstack.com
Deserialization
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 18, 2024 - 15:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in bublick Lis Video Gallery lis-video-gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through <= 0.2.1.

AnalysisAI

Untrusted data deserialization in the Lis Video Gallery WordPress plugin (versions through 0.2.1) by bublick allows remote attackers to perform PHP object injection, potentially leading to arbitrary code execution depending on gadget chains available in the WordPress instance. The CVSS 9.8 score and EPSS of 31.81% (97th percentile) signal elevated exploitation likelihood, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and affects WordPress sites running this plugin.

Technical ContextAI

The vulnerability is rooted in CWE-502 (Deserialization of Untrusted Data), a class of flaw where attacker-controlled serialized PHP data is passed into unserialize() or equivalent constructs without validation. In WordPress plugin ecosystems, such bugs are commonly exploited through PHP Object Injection: an attacker supplies a crafted serialized payload that, upon deserialization, instantiates objects whose magic methods (__wakeup, __destruct, __toString) chain together gadgets from WordPress core, other active plugins, or Composer dependencies, ultimately producing file writes, SQL execution, or RCE. The affected CPE cpe:2.3:a:lis:video_gallery:*:*:*:*:*:wordpress:*:* identifies the bublick-authored Lis Video Gallery plugin running on the WordPress platform, with all versions up to and including 0.2.1 affected.

RemediationAI

No vendor-released patch identified at time of analysis based on the supplied data - the description lists affected versions 'from n/a through <= 0.2.1' without specifying a fix release, so administrators should consult the Patchstack advisory referenced by audit@patchstack.com for the latest fix status. As an immediate compensating control, deactivate and remove the Lis Video Gallery plugin from any WordPress site where it is installed, accepting the loss of video gallery functionality; if removal is not feasible, restrict access to the wp-admin and wp-json endpoints used by the plugin via a WAF rule or .htaccess IP allowlist, noting this may break legitimate frontend rendering if shortcode handlers are involved. Site owners using Patchstack, Wordfence, or similar virtual patching services should ensure their signatures cover CVE-2024-52430, and audit the site for indicators of object injection (unexpected file writes under wp-content, new admin users, modified options table entries).

Share

CVE-2024-52430 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy