WordPress Plugin Vulnerabilities

String Locator < 2.6.7 - Unauthenticated PHP Object Injection

Description

The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.

Affects Plugins

Plugin icon
string-locator
Fixed in 2.6.7

References

CVE
CVE-2024-10936
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1404f034-2d1d-44b2-87e5-61f72f215417

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
2dc339aa-6e00-4f84-96bd-9afebf7bdd7d

Timeline

Publicly Published
2025-01-20 (about 1 year ago)
Added
2025-01-27 (about 1 year ago)
Last Updated
2025-01-27 (about 1 year ago)

Other

Published
Title
Published
2025-09-22
Title
Awesome Support < 6.3.6 - Authenticated (Support Manager+) PHP Object Injection
Published
2026-04-08
Title
Mildhill < 1.6 - Unauthenticated PHP Object Injection
Published
2024-08-07
Title
News Flash <= 1.1.0 - Authenticated (Editor+) PHP Object Injection
Published
2025-03-26
Title
Export All Posts, Products, Orders, Refunds & Users < 2.14 - Unauthenticated PHP Object Injection
Published
2023-12-05
Title
Sayfa Sayaç <= 2.6 - Unauthenticated PHP Object Injection