CVE-2024-13645

Name of the Vulnerable Software and Affected Versions tagDiv Composer plugin for WordPress versions up to, and including, 5.3

Description The issue allows unauthenticated attackers to instantiate a PHP object via the module parameter. This vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like deleting arbitrary files, retrieving sensitive data, or executing code, depending on the POP chain present.

Recommendations For versions up to, and including, 5.3, consider disabling the module parameter to minimize the risk of exploitation until a patch is available. Restrict access to sensitive data and files to prevent potential damage in case a POP chain is present via another plugin or theme.