The vulnerability CVE-2024-13410 involves unsafe deserialization of untrusted data in the 'ajax_handler' function of the CozyStay and TinySalt WordPress plugins. This PHP Object Injection vulnerability allows unauthenticated attackers to inject malicious PHP objects. Exploitation requires the presence of a gadget POP chain in other installed plugins or themes to achieve impact such as arbitrary file deletion, sensitive data retrieval, or code execution. The vulnerability affects all versions up to 1.7.0 for CozyStay and 3.9.0 for TinySalt. The CVSS 3.1 base score is 9.8, reflecting network attack vector, no privileges required, no user interaction, and high confidentiality, integrity, and availability impacts. No official patch or fix is currently available, and no known exploits have been observed in the wild.

If a gadget POP chain is present via other installed plugins or themes, an attacker can leverage this vulnerability to perform high-impact actions including arbitrary file deletion, sensitive data disclosure, or remote code execution. Without such a POP chain, the vulnerability does not lead to direct impact. The vulnerability is exploitable remotely without authentication or user interaction, making it highly critical in environments where the prerequisite POP chain exists.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are currently available, site administrators should monitor vendor communications for updates. In the meantime, review installed plugins and themes for known POP chains that could be exploited in conjunction with this vulnerability. Consider disabling or removing the CozyStay and TinySalt plugins if they are not essential, or restrict access to the vulnerable ajax_handler functionality via web application firewall rules or other access controls until a patch is released.