CVE-2024-13742 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) found in the iControlWP – Multiple WordPress Site Manager plugin for WordPress, affecting all versions up to and including 4.4.5. The vulnerability stems from unsafe deserialization of user-supplied input through the 'reqpars' parameter, which allows unauthenticated attackers to perform PHP Object Injection. This injection can lead to arbitrary code execution or other malicious actions if a suitable Property Oriented Programming (POP) gadget chain exists in other installed plugins or themes. The absence of a POP chain within iControlWP itself means the vulnerability's impact depends on the presence of additional vulnerable components in the WordPress environment. The CVSS v3.1 score is 9.8 (critical), reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits have been observed in the wild, the vulnerability presents a significant risk to WordPress sites using this plugin, especially those with complex plugin/theme ecosystems that may contain exploitable POP chains. The vulnerability was published on January 30, 2025, and no official patches have been linked yet, increasing the urgency for mitigation.

If exploited, this vulnerability can lead to severe consequences including full site compromise. Attackers can execute arbitrary PHP code, delete critical files, or exfiltrate sensitive data depending on the POP chain available in the environment. This can result in website defacement, data breaches, loss of service, and potential pivoting to internal networks. Since the vulnerability requires no authentication and can be triggered remotely, it poses a high risk to any WordPress site using the affected plugin, especially those with additional vulnerable plugins or themes. The broad impact on confidentiality, integrity, and availability makes this a critical threat to organizations relying on WordPress for their web presence, including e-commerce, media, and enterprise sites. The lack of known exploits in the wild currently offers a window for proactive defense, but the high CVSS score indicates that exploitation would be straightforward once a suitable POP chain is identified.

Organizations should immediately audit their WordPress installations for the presence of the iControlWP – Multiple WordPress Site Manager plugin and identify the version in use. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate the attack vector. Conduct a thorough review of all installed plugins and themes to identify and remove or update any that may contain POP chains exploitable via this vulnerability. Employ Web Application Firewalls (WAFs) with custom rules to block or monitor requests containing suspicious serialized data in the 'reqpars' parameter. Implement strict input validation and sanitization where possible. Monitor logs for unusual activity related to deserialization or unexpected PHP object injections. Maintain regular backups and ensure recovery procedures are tested to mitigate potential damage from exploitation. Stay updated with vendor advisories for patches and apply them promptly once available.