CVE-2024-13410

Name of the Vulnerable Software and Affected Versions CozyStay versions 1.7.0 and earlier TinySalt versions 3.9.0 and earlier

Description The issue affects the CozyStay and TinySalt plugins for WordPress, allowing unauthenticated attackers to inject a PHP object through deserialization of untrusted input in the ajax handler function. This vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme, it may allow the attacker to perform actions like deleting arbitrary files, retrieving sensitive data, or executing code, depending on the POP chain present.

Recommendations For CozyStay versions 1.7.0 and earlier, update to a version later than 1.7.0 to mitigate the risk. For TinySalt versions 3.9.0 and earlier, update to a version later than 3.9.0 to mitigate the risk. As a temporary workaround, consider disabling the ajax handler function until a patch is available.