WordPress Plugin Vulnerabilities

Knowledge Base for Documentation, FAQs with AI Assistance < 11.31.0 - Unauthenticated PHP Object Injection in is_article_recently_viewed

Description

The Knowledge Base for Documentation, FAQs with AI Assistance plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 11.30.2 via deserialization of untrusted input in the is_article_recently_viewed function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
echo-knowledge-base
Fixed in 11.31.0

References

CVE
CVE-2024-24842
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/41cfe1d7-2fab-413c-80e5-40d77133d229

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
No
WPVDB ID
09d3d234-238f-4341-8516-a752c2bc9c4a

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-02-05 (about 2 years ago)

Other

Published
Title
Published
2018-12-13
Title
WordPress <= 5.0 - PHP Object Injection via Meta Data
Published
2025-01-20
Title
Taxi Booking Manager for WooCommerce – WordPress plugin | Ecab < 1.1.9 - Authenticated (Contributor+) PHP Object Injection
Published
2026-04-16
Title
LuxeDrive - Limousine and Car Rental WordPress Theme < 1.5 - Unauthenticated PHP Object Injection
Published
2024-10-14
Title
Recently <= 1.1 - Unauthenticated PHP Object Injection
Published
2025-05-19
Title
Jarvis – Night Club, Concert, Festival WordPress <= 1.8.11 - Unauthenticated PHP Object Injection