Plataforma
wordpress
Componente
tagdiv-composer
Corrigido em
5.3.1
CVE-2024-13645 is a critical vulnerability affecting TagDiv Composer, a WordPress plugin, versions up to and including 5.3. This vulnerability allows unauthenticated attackers to instantiate PHP objects through a module parameter. While no known POP (Plain Old PHP) chain exists within TagDiv Composer itself, the potential for exploitation significantly increases if other plugins or themes on the WordPress site contain such a chain, enabling actions like file deletion and data retrieval.
The core impact of CVE-2024-13645 lies in its ability to allow an attacker to instantiate PHP objects. This, in itself, is not immediately exploitable. However, the real danger arises when combined with other vulnerabilities on the same WordPress site. If another plugin or theme contains a POP chain—a sequence of object method calls that can be exploited to execute arbitrary code—the instantiation provided by CVE-2024-13645 can be leveraged to trigger that chain. This could lead to complete compromise of the WordPress site, including unauthorized access to sensitive data, modification of website content, and even remote code execution. The blast radius extends to any data stored within the WordPress database or accessible through the site’s file system.
CVE-2024-13645 was published on 2025-04-04. The vulnerability's severity is amplified by its reliance on the presence of a POP chain in other plugins or themes. Public proof-of-concept code is not currently available, but the potential for exploitation is considered high due to the ease of object instantiation. It is not currently listed on CISA KEV. Active campaigns are not confirmed at this time.
WordPress websites using TagDiv Composer versions 5.3 and earlier are at risk. This includes sites with multiple plugins and themes installed, as the vulnerability's impact is significantly increased by the presence of a POP chain in other components. Shared hosting environments are particularly vulnerable, as they often have limited control over the plugins and themes installed on the server.
• wordpress / composer / npm:
grep -r 'tagDivComposer' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep tagDivComposer• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/tagdiv-composer/module.php?class=evilclass• wordpress / composer / npm:
wp plugin auto-update tagdiv-composerdisclosure
Status do Exploit
EPSS
2.23% (percentil 84%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-13645 is to upgrade TagDiv Composer to a version that addresses the vulnerability. TagDiv should release a patched version shortly after the public disclosure. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing the malicious module parameter. Additionally, carefully review all other installed plugins and themes for potential POP chain vulnerabilities. Regularly scan your WordPress installation for security vulnerabilities and keep all components up to date. After upgrade, confirm by attempting to trigger the vulnerable parameter and verifying that the request is rejected.
Atualize o plugin TagDiv Composer para uma versão posterior à 5.3. Isso corrigirá a vulnerabilidade de instanciação de objetos PHP não autenticada. Se não houver uma versão disponível, considere desabilitar o plugin até que uma versão corrigida seja publicada.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-13645 is a critical vulnerability in TagDiv Composer versions up to 5.3 that allows unauthenticated attackers to instantiate PHP objects, potentially leading to code execution if combined with other vulnerabilities.
Yes, if you are using TagDiv Composer version 5.3 or earlier, you are affected by this vulnerability. Upgrade to a patched version as soon as possible.
Upgrade TagDiv Composer to the latest available version. If immediate upgrading is not possible, implement a WAF rule to block malicious requests.
Active exploitation is not currently confirmed, but the vulnerability's potential impact is high, and exploitation is likely if a POP chain exists on the target system.
Please refer to the TagDiv website and WordPress plugin repository for the latest security advisory and patched version.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.