CVE-2024-13824

Name of the Vulnerable Software and Affected Versions: CiyaShop - Multipurpose WooCommerce Theme versions up to 4.19.0

Description: The issue is related to PHP Object Injection via deserialization of untrusted input in the add ciyashop wishlist and ciyashop get compare functions. This allows unauthenticated attackers to inject a PHP Object. However, without a POP chain present in the vulnerable software, the impact is limited. If a POP chain is present via an additional plugin or theme, it may allow the attacker to perform actions like deleting arbitrary files, retrieving sensitive data, or executing code.

Recommendations: For versions up to 4.19.0, as a temporary workaround, consider disabling the add ciyashop wishlist and ciyashop get compare functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.