CVE-2024-7560

Name of the Vulnerable Software and Affected Versions The News Flash theme for WordPress versions up to, and including, 1.1.0

Description The issue allows authenticated attackers with Editor-level access and above to inject a PHP Object via deserialization of untrusted input from the newsflash post meta meta value. If a POP chain is present, possibly through an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions up to, and including, 1.1.0, update to a version that fixes the PHP Object Injection issue. As a temporary workaround, consider restricting access to the newsflash post meta meta value to minimize the risk of exploitation.