Skip to main content

VRPConnector CVE-2024-56058

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2024-12-18 audit@patchstack.com
Deserialization
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.8 (CRITICAL)
CVE Published
Dec 18, 2024 - 12:15 nvd
N/A

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in denniskravetstns VRPConnector vrpconnector allows Object Injection.This issue affects VRPConnector: from n/a through <= 2.0.1.

AnalysisAI

Unsafe PHP object deserialization in the VRPConnector WordPress plugin (versions up to and including 2.0.1) by denniskravetstns enables remote code execution through PHP Object Injection. Remote attackers can submit crafted serialized payloads that, when unserialized, instantiate attacker-controlled objects and trigger magic methods leading to arbitrary code execution; no public exploit identified at time of analysis, but EPSS places this in the 97th percentile (36.92%) indicating elevated exploitation likelihood.

Technical ContextAI

VRPConnector is a third-party WordPress plugin (vendor denniskravetstns) that integrates external vacation rental property data into WordPress sites. The flaw is classified as CWE-502 (Deserialization of Untrusted Data), the underlying root cause being PHP's unserialize() being invoked on attacker-influenced input. In PHP/WordPress ecosystems, this class of bug is commonly exploited via 'POP chains' (Property-Oriented Programming) that abuse __wakeup, __destruct, or __toString magic methods in WordPress core or other loaded plugins/themes to reach dangerous sinks such as file writes or system command execution. Tags confirm 'Deserialization' as the vulnerability class.

Affected ProductsAI

The affected product is the VRPConnector WordPress plugin by denniskravetstns, all versions from initial release through and including 2.0.1, as reported by Patchstack (audit@patchstack.com). No CPE string was provided in the intelligence input, and no vendor advisory URL was supplied beyond the Patchstack reporter attribution; defenders should consult the Patchstack vulnerability database entry for CVE-2024-56058 for the canonical advisory.

RemediationAI

No vendor-released patch identified at time of analysis - VRPConnector appears to be unmaintained, with the affected range covering all versions up to and including 2.0.1 and no fixed version disclosed. The most reliable compensating control is to deactivate and uninstall the VRPConnector plugin from affected WordPress installations, accepting loss of vacation-rental integration functionality as the trade-off. If removal is not immediately feasible, restrict access to the plugin's HTTP endpoints via a web application firewall rule blocking serialized PHP payloads (patterns such as 'O:' followed by a length and class name in POST bodies or query strings) and limit access to wp-admin and AJAX endpoints by IP allowlist; note that WAF signatures for PHP Object Injection are bypass-prone and should not be treated as durable protection. Monitor the Patchstack advisory at patchstack.com for any future fork or community patch.

Share

CVE-2024-56058 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy