CVE-2024-7656

Name of the Vulnerable Software and Affected Versions The Image Hotspot by DevVN plugin for WordPress versions 1.2.5 and earlier

Description The issue concerns PHP Object Injection via deserialization of untrusted input in the devvn ihotspot shortcode func function. This allows authenticated attackers with Author-level access and above to inject a PHP Object. If a POP chain is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions 1.2.5 and earlier, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.