What is the CVSS score of CVE-2024-52433?

CVE-2024-52433 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 80.6%.

Which versions of My Geo Posts Free are affected by CVE-2024-52433?

The 'My Geo Posts Free' WordPress plugin (versions ≤1.2) contains a critical unauthenticated remote code execution vulnerability (CVE-2024-52433, CVSS 9.8) enabling attackers to execute arbitrary…

Is there a public PoC exploit available for CVE-2024-52433?

Yes, a public proof-of-concept exploit is available for CVE-2024-52433. Prioritise patching immediately. EPSS: 80.6%.

How to fix or mitigate CVE-2024-52433?

24 hours: Identify all WordPress instances running 'My Geo Posts Free' plugin version 1.2 or earlier; immediately disable and remove the plugin. 7 days: Conduct comprehensive plugin audit across all WordPress deployments; reset all administrative credentials; review web server logs for exploitation attempts. 30 days: Evaluate alternative geo-location plugins with security assessments; deploy Web Application Firewall rules to detect PHP deserialization attack patterns; implement runtime controls to restrict PHP unserialize() functionality.

My Geo Posts Free CVE-2024-52433

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2024-11-18 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

CVE Published

Nov 18, 2024 - 15:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free my-geo-posts-free allows Object Injection.This issue affects My Geo Posts Free: from n/a through <= 1.2.

AnalysisAI

Unauthenticated PHP object injection in the Mindstien Technologies 'My Geo Posts Free' WordPress plugin (versions up to and including 1.2) allows remote attackers to deserialize attacker-controlled data, potentially leading to full site compromise. The flaw is rated CVSS 9.8 and carries an EPSS of 80.62% (99th percentile), indicating very high probability of near-term exploitation, though no public exploit identified at time of analysis.

Technical ContextAI

The plugin is affected by CWE-502 (Deserialization of Untrusted Data), commonly known as PHP Object Injection in the WordPress ecosystem. The CPE cpe:2.3:a:mindstien:my_geo_posts_free identifies the vulnerable component as a WordPress plugin running within the PHP runtime, where unserialize() or similar deserialization routines are invoked on untrusted input. When combined with 'POP gadget chains' present in WordPress core or other installed plugins/themes, deserialization of attacker-controlled objects can trigger arbitrary method calls, file operations, or code execution through magic methods such as __wakeup, __destruct, or __toString.

RemediationAI

No vendor-released patch identified at time of analysis; the advisory only states the issue affects versions up to and including 1.2 without naming a fixed release. Site operators should deactivate and uninstall the My Geo Posts Free plugin until Mindstien Technologies publishes a fixed version, since leaving it active exposes the site to unauthenticated object injection. As compensating controls, place the site behind a WAF such as Patchstack or Wordfence with virtual patching for CWE-502 in this plugin, restrict access to the plugin's PHP endpoints via web server rules (with the trade-off that legitimate plugin functionality will break), and audit the site for indicators such as unexpected admin accounts, modified theme/plugin files, or suspicious scheduled tasks. Monitor the Patchstack database (the reporter, audit@patchstack.com) for the eventual fixed-version disclosure.

CVE-2024-52433 vulnerability details – vuln.today

Back

My Geo Posts Free CVE-2024-52433

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code