CVE-2024-1792

Name of the Vulnerable Software and Affected Versions CMB2 plugin for WordPress versions up to, and including, 2.10.1

Description The CMB2 plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input from the text datetime timestamp timezone field. This allows authenticated attackers with contributor access or higher to inject a PHP Object. If a POP chain is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code. The plugin is a developer toolkit and requires the presence of a metabox activation in the code for the vulnerability to be exploitable.

Recommendations For versions up to, and including, 2.10.1, update to a version that fixes the PHP Object Injection issue. As a temporary workaround, consider disabling the metabox activation in your code until a patch is available. Restrict access to the text datetime timestamp timezone field to minimize the risk of exploitation.