Skip to main content

Partners WordPress Plugin CVE-2024-56059

CRITICAL
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2024-12-18 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.8 (CRITICAL)
CVE Published
Dec 18, 2024 - 12:15 nvd
N/A

DescriptionCVE.org

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0.

AnalysisAI

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unauthenticated attackers to inject properties into base Object prototypes, leading to object injection and potentially remote code execution. The CVSS 9.8 score combined with a notable EPSS of 26.25% (96th percentile) signals elevated exploitation risk, though no public exploit identified at time of analysis and the issue is not present in CISA KEV.

Technical ContextAI

The flaw is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, 'Prototype Pollution'), a JavaScript/PHP class of weakness where untrusted input is merged into objects without filtering reserved keys like __proto__, prototype, or constructor. In a WordPress plugin context this typically manifests in recursive merge, extend, or settings-import routines that walk user-supplied key paths. Once base prototype properties are polluted, downstream code paths that read properties without hasOwnProperty checks can be coerced into unintended branches - enabling Object Injection (as tagged) and, in WordPress, can escalate to gadget-chain code execution depending on plugin/theme stacks loaded.

Affected ProductsAI

The affected product is the farinspace Partners WordPress plugin, all versions from initial release through and including 0.2.0 (n/a through <= 0.2.0 per the advisory). No CPE string was provided in the input data, and no vendor advisory URL was included beyond the Patchstack reporter attribution; defenders should consult the Patchstack database entry for CVE-2024-56059 for the canonical advisory.

RemediationAI

No vendor-released patch identified at time of analysis - the advisory states the issue affects versions up to and including 0.2.0 with no fixed version listed. Until a patched release is published by farinspace, administrators should deactivate and remove the Partners plugin from WordPress installations, particularly on internet-facing sites, as the plugin is reachable by unauthenticated remote attackers per the CVSS vector. Compensating controls include placing the WordPress site behind a WAF with rules blocking request bodies containing __proto__, constructor.prototype, or prototype keys (trade-off: may false-positive on legitimate JSON APIs that legitimately reference these properties), restricting access to plugin endpoints via IP allowlisting at the web server level, and monitoring the Patchstack and farinspace plugin pages for an updated release.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

CVE-2024-38983 CRITICAL POC
9.8 Jul 30

Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial

Share

CVE-2024-56059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy