CVE-2024-13742
Published: 30 January 2025
Summary
CVE-2024-13742 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Icontrolwp Icontrolwp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions through 4.4.5. The flaw stems from unsafe deserialization of untrusted input supplied via the reqpars parameter, as implemented in the plugin’s LegacyApi and api RequestParameters components. No POP chain exists within the plugin itself, so the issue produces no direct effect unless another installed plugin or theme supplies a usable chain.
Unauthenticated remote attackers can supply a crafted object through this parameter. When a compatible POP chain is present on the target site, successful exploitation can result in arbitrary file deletion, sensitive data disclosure, or remote code execution, consistent with the vulnerability’s CVSS 9.8 rating.
Public references include the plugin’s Trac source listings for the affected files, a changeset that updated the request-handling code, and the Wordfence advisory that catalogs the issue under CVE-2024-13742. Site operators should apply the latest plugin release to eliminate the deserialization path.
EPSS for the CVE rose from a low baseline to a peak of 0.0511 on 2026-01-13 before receding to the current value of 0.0105, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51741
Vulnerability details
The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers…
more
to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE vector via deserialization in public-facing WordPress plugin (T1190); successful POP chain abuse yields arbitrary code/command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses CVE-2024-13742 by applying patches to eliminate the unsafe deserialization of untrusted input in the iControlWP plugin.
Information input validation prevents PHP object injection by scrutinizing and rejecting malicious serialized data in parameters like reqpars.
Vulnerability monitoring and scanning identifies PHP object injection vulnerabilities like CVE-2024-13742 in WordPress plugins for proactive remediation.