CVE-2024-12627: CWE-502 Deserialization of Untrusted Data in galdub Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups
CVE-2024-12627 is a high-severity vulnerability in the WordPress plugin 'Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups' affecting all versions up to 1. 3. 5. It involves PHP Object Injection via deserialization of untrusted input in the capture_email AJAX action, exploitable by authenticated users with Contributor-level access or higher. While no direct POP (Property Oriented Programming) chain is included in the plugin, the presence of additional plugins or themes could enable attackers to execute arbitrary code, delete files, or access sensitive data. The vulnerability has a CVSS score of 7. 5, indicating high impact on confidentiality, integrity, and availability. No known exploits are currently in the wild. Organizations using this plugin should prioritize patching or mitigating this flaw to prevent potential privilege escalation and remote code execution.
AI Analysis
Technical Summary
CVE-2024-12627 is a deserialization vulnerability categorized under CWE-502 affecting the 'Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups' WordPress plugin by galdub. The flaw exists in all versions up to and including 1.3.5, where the plugin improperly deserializes untrusted input received via the capture_email AJAX action, specifically from post content. This allows authenticated attackers with at least Contributor-level permissions to inject crafted PHP objects. Although the plugin itself does not contain a known POP chain to directly exploit this injection for code execution or file manipulation, the presence of other plugins or themes that provide such POP chains could enable attackers to leverage this vulnerability to delete arbitrary files, retrieve sensitive information, or execute arbitrary code on the server. The vulnerability requires authentication but no user interaction beyond that, and the attack vector is network accessible. The CVSS 3.1 score of 7.5 reflects a high severity due to the potential for full compromise of the affected WordPress site. No patches are currently linked, so mitigation may require disabling the plugin or restricting access until a fix is available.
Potential Impact
This vulnerability poses a significant risk to organizations running WordPress sites with the affected Coupon X plugin, especially e-commerce sites using WooCommerce. Successful exploitation can lead to unauthorized code execution, data theft, or site defacement, severely impacting confidentiality, integrity, and availability. Attackers with Contributor-level access, which is a relatively low privilege level, can escalate their capabilities to full site compromise if a suitable POP chain is present. This could result in theft of customer data, injection of malicious content, disruption of business operations, and damage to brand reputation. Given the widespread use of WordPress and WooCommerce globally, the potential impact is broad, affecting small to large businesses relying on these platforms for online sales and marketing.
Mitigation Recommendations
1. Immediately review user roles and permissions to ensure that only trusted users have Contributor-level or higher access. 2. Temporarily disable or remove the Coupon X plugin until a security patch is released. 3. Monitor WordPress sites for unusual activity, especially related to AJAX requests to capture_email endpoints. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious serialized payloads targeting the plugin's AJAX actions. 5. Keep all WordPress core, plugins, and themes updated to the latest versions to reduce the risk of chained exploits. 6. Conduct a thorough audit of installed plugins and themes to identify any that could provide POP chains enabling exploitation. 7. Consider applying PHP configuration hardening, such as disabling unserialize() on user input where possible. 8. Backup site data regularly and verify restore procedures to minimize damage from potential exploitation.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, India, Brazil, Japan, Netherlands, Italy, Spain
CVE-2024-12627: CWE-502 Deserialization of Untrusted Data in galdub Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups
Description
CVE-2024-12627 is a high-severity vulnerability in the WordPress plugin 'Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups' affecting all versions up to 1. 3. 5. It involves PHP Object Injection via deserialization of untrusted input in the capture_email AJAX action, exploitable by authenticated users with Contributor-level access or higher. While no direct POP (Property Oriented Programming) chain is included in the plugin, the presence of additional plugins or themes could enable attackers to execute arbitrary code, delete files, or access sensitive data. The vulnerability has a CVSS score of 7. 5, indicating high impact on confidentiality, integrity, and availability. No known exploits are currently in the wild. Organizations using this plugin should prioritize patching or mitigating this flaw to prevent potential privilege escalation and remote code execution.
AI-Powered Analysis
Technical Analysis
CVE-2024-12627 is a deserialization vulnerability categorized under CWE-502 affecting the 'Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups' WordPress plugin by galdub. The flaw exists in all versions up to and including 1.3.5, where the plugin improperly deserializes untrusted input received via the capture_email AJAX action, specifically from post content. This allows authenticated attackers with at least Contributor-level permissions to inject crafted PHP objects. Although the plugin itself does not contain a known POP chain to directly exploit this injection for code execution or file manipulation, the presence of other plugins or themes that provide such POP chains could enable attackers to leverage this vulnerability to delete arbitrary files, retrieve sensitive information, or execute arbitrary code on the server. The vulnerability requires authentication but no user interaction beyond that, and the attack vector is network accessible. The CVSS 3.1 score of 7.5 reflects a high severity due to the potential for full compromise of the affected WordPress site. No patches are currently linked, so mitigation may require disabling the plugin or restricting access until a fix is available.
Potential Impact
This vulnerability poses a significant risk to organizations running WordPress sites with the affected Coupon X plugin, especially e-commerce sites using WooCommerce. Successful exploitation can lead to unauthorized code execution, data theft, or site defacement, severely impacting confidentiality, integrity, and availability. Attackers with Contributor-level access, which is a relatively low privilege level, can escalate their capabilities to full site compromise if a suitable POP chain is present. This could result in theft of customer data, injection of malicious content, disruption of business operations, and damage to brand reputation. Given the widespread use of WordPress and WooCommerce globally, the potential impact is broad, affecting small to large businesses relying on these platforms for online sales and marketing.
Mitigation Recommendations
1. Immediately review user roles and permissions to ensure that only trusted users have Contributor-level or higher access. 2. Temporarily disable or remove the Coupon X plugin until a security patch is released. 3. Monitor WordPress sites for unusual activity, especially related to AJAX requests to capture_email endpoints. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious serialized payloads targeting the plugin's AJAX actions. 5. Keep all WordPress core, plugins, and themes updated to the latest versions to reduce the risk of chained exploits. 6. Conduct a thorough audit of installed plugins and themes to identify any that could provide POP chains enabling exploitation. 7. Consider applying PHP configuration hardening, such as disabling unserialize() on user input where possible. 8. Backup site data regularly and verify restore procedures to minimize damage from potential exploitation.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-13T17:54:48.677Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e46b7ef31ef0b59c264
Added to database: 2/25/2026, 9:48:54 PM
Last enriched: 2/26/2026, 3:10:59 AM
Last updated: 2/26/2026, 8:07:22 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.