CVE-2024-49699
Published: 21 January 2025
Summary
CVE-2024-49699 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-49699 is a deserialization of untrusted data vulnerability, also described as PHP object injection, that affects the ARPrice WordPress plugin from unknown versions through 4.1.3. The flaw is tracked under CWE-502 and carries a CVSS 3.1 score of 8.8, reflecting network-accessible exploitation with low attack complexity and low privileges required.
An authenticated attacker with at least subscriber-level access can supply a crafted serialized object to trigger the vulnerability, resulting in arbitrary code execution or full compromise of the confidentiality, integrity, and availability of the affected site.
The single referenced advisory from Patchstack identifies the issue in the ARPrice plugin and points to the availability of a fixed version beyond 4.1.3. The associated EPSS score rose from lower values to a peak of 0.0723 in February 2026 before receding to the current 0.0459, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43688
Vulnerability details
Deserialization of Untrusted Data vulnerability in reputeinfosystems ARPrice arprice allows Object Injection.This issue affects ARPrice: from n/a through <= 4.1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress plugin via unsafe deserialization/PHP object injection leading to arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the deserialization of untrusted data vulnerability in ARPrice by requiring timely patching to a fixed version.
Prevents object injection by validating untrusted inputs before deserialization processing in the plugin.
Limits exploitation impact by enforcing least privilege on low-privileged WordPress users who can trigger the vulnerability.