PT-2024-23854 · WordPress · Wordpress

Peterwilsoncc

Published

2024-04-04

Updated

2026-02-12

CVE-2024-31211

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WordPress versions 6.4.0 through 6.4.1

Description The issue allows for code execution via the destruct() magic method of the WP HTML Token class when unserializing its instances. This issue was fixed in WordPress 6.4.2 on December 6th, 2023.

Recommendations For versions 6.4.0 through 6.4.1, update to WordPress 6.4.2 or later to resolve the issue. As a temporary workaround, consider disabling the unserialization of WP HTML Token class instances until a patch is available.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BIT-WORDPRESS-2024-31211

BIT-WORDPRESS-MULTISITE-2024-31211

CVE-2024-31211

GHSA-M257-Q4M5-J653

Affected Products

Wordpress

PT-2024-23854 · WordPress · Wordpress

CVE-2024-31211

Weakness Enumeration

Related Identifiers

Affected Products

References · 19