Cyber Resilience

CVE-2024-56059

Critical

Published: 18 December 2024

Published
18 December 2024
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3235 97.0th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56059 is a critical-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a Prototype Pollution flaw, tracked as CWE-1321, that permits improperly controlled modification of object prototype attributes and results in object injection. It affects the farinspace Partners WordPress plugin in all versions through 0.2.0. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction.

An unauthenticated remote attacker can supply crafted input that pollutes JavaScript or PHP object prototypes, enabling object injection. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability on the affected WordPress site.

The sole referenced advisory on Patchstack describes the flaw as a PHP object injection vulnerability in the Partners plugin version 0.2.0 and directs administrators to apply the vendor-supplied update that resolves the issue. The EPSS score has reached a peak of 0.3461 with a current value of 0.3235, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References