CVE-2024-3070

Name of the Vulnerable Software and Affected Versions The Last Viewed Posts by WPBeginner plugin for WordPress versions prior to 1.1.0, or more specifically, version 1.0.0 and earlier.

Description The issue allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input from the LastViewedPosts Cookie. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present, possibly introduced by an additional plugin or theme on the target system.

Recommendations For versions prior to 1.1.0, update to version 1.1.0 or later to resolve the issue. For version 1.0.0, as a temporary workaround, consider restricting access to the LastViewedPosts Cookie to minimize the risk of exploitation.