CVE-2024-5724 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the Photo Video Gallery Master plugin for WordPress in all versions up to and including 1.5.3. The flaw stems from the plugin's unsafe handling of the 'PVGM_all_photos_details' parameter, which is deserialized without proper validation or sanitization. This allows authenticated attackers with Contributor-level privileges or higher to perform PHP Object Injection by crafting malicious serialized objects. Although the plugin itself does not contain a known Property Oriented Programming (POP) chain to facilitate exploitation, the presence of additional plugins or themes on the target WordPress installation that provide such chains could enable attackers to leverage this vulnerability for critical actions such as arbitrary file deletion, sensitive data retrieval, or remote code execution. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high severity due to network attack vector, low attack complexity, required privileges, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the risk is significant given the widespread use of WordPress and the potential for privilege escalation and system compromise through this vector.

The impact of CVE-2024-5724 is substantial for organizations using the Photo Video Gallery Master plugin. Exploitation can lead to full compromise of the affected WordPress site, including unauthorized deletion of files, exposure of sensitive information, and remote code execution. This can result in data breaches, website defacement, service disruption, and potential lateral movement within the hosting environment. Since the vulnerability requires only Contributor-level access, attackers who gain such access through other means (e.g., phishing, weak credentials) can escalate their privileges and control the site. The broad availability of WordPress and the plugin increases the attack surface globally, potentially affecting websites ranging from small businesses to large enterprises relying on WordPress for content management. The absence of a known exploit currently provides a window for mitigation, but the ease of exploitation and high impact necessitate urgent attention.

To mitigate CVE-2024-5724, organizations should immediately update the Photo Video Gallery Master plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level and higher privileges to trusted users only and audit existing user roles for unnecessary permissions. Implement web application firewalls (WAFs) with rules to detect and block suspicious serialized input patterns targeting the 'PVGM_all_photos_details' parameter. Disable or remove unnecessary plugins and themes that could provide POP chains to reduce exploitation risk. Employ strict input validation and sanitization where possible, and monitor logs for unusual activity related to deserialization or object injection attempts. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, consider isolating WordPress instances and using least privilege principles to limit the impact of any successful exploitation.