Partners WordPress Plugin CVE-2024-56059
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0.
AnalysisAI
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unauthenticated attackers to inject properties into base Object prototypes, leading to object injection and potentially remote code execution. The CVSS 9.8 score combined with a notable EPSS of 26.25% (96th percentile) signals elevated exploitation risk, though no public exploit identified at time of analysis and the issue is not present in CISA KEV.
Technical ContextAI
The flaw is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, 'Prototype Pollution'), a JavaScript/PHP class of weakness where untrusted input is merged into objects without filtering reserved keys like __proto__, prototype, or constructor. In a WordPress plugin context this typically manifests in recursive merge, extend, or settings-import routines that walk user-supplied key paths. Once base prototype properties are polluted, downstream code paths that read properties without hasOwnProperty checks can be coerced into unintended branches - enabling Object Injection (as tagged) and, in WordPress, can escalate to gadget-chain code execution depending on plugin/theme stacks loaded.
Affected ProductsAI
The affected product is the farinspace Partners WordPress plugin, all versions from initial release through and including 0.2.0 (n/a through <= 0.2.0 per the advisory). No CPE string was provided in the input data, and no vendor advisory URL was included beyond the Patchstack reporter attribution; defenders should consult the Patchstack database entry for CVE-2024-56059 for the canonical advisory.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory states the issue affects versions up to and including 0.2.0 with no fixed version listed. Until a patched release is published by farinspace, administrators should deactivate and remove the Partners plugin from WordPress installations, particularly on internet-facing sites, as the plugin is reachable by unauthenticated remote attackers per the CVSS vector. Compensating controls include placing the WordPress site behind a WAF with rules blocking request bodies containing __proto__, constructor.prototype, or prototype keys (trade-off: may false-positive on legitimate JSON APIs that legitimately reference these properties), restricting access to plugin endpoints via IP allowlisting at the web server level, and monitoring the Patchstack and farinspace plugin pages for an updated release.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today