CVE-2024-13410 Overview
CVE-2024-13410 is a PHP Object Injection vulnerability affecting the CozyStay and TinySalt plugins for WordPress. The vulnerability exists in all versions of CozyStay up to and including 1.7.0, and all versions of TinySalt up to and including 3.9.0. The flaw stems from insecure deserialization of untrusted input in the ajax_handler function, allowing unauthenticated attackers to inject arbitrary PHP objects into the application.
Critical Impact
Unauthenticated attackers can inject PHP objects that, when combined with an existing POP (Property Oriented Programming) chain from another installed plugin or theme, may enable arbitrary file deletion, sensitive data retrieval, or remote code execution.
Affected Products
- CozyStay WordPress Theme/Plugin (versions up to and including 1.7.0)
- TinySalt WordPress Theme/Plugin (versions up to and including 3.9.0)
- WordPress sites with these plugins and additional POP chain-providing components
Discovery Timeline
- 2025-03-19 - CVE CVE-2024-13410 published to NVD
- 2025-03-19 - Last updated in NVD database
Technical Details for CVE-2024-13410
Vulnerability Analysis
This vulnerability is classified as Insecure Deserialization (CWE-502). The affected plugins fail to properly validate or sanitize serialized data before passing it to PHP's deserialization functions within the ajax_handler function. When PHP deserializes attacker-controlled data, it reconstructs objects and automatically invokes magic methods such as __wakeup(), __destruct(), or __toString().
The critical aspect of this vulnerability is that it requires no authentication to exploit. An attacker can send malicious serialized payloads directly to the vulnerable AJAX endpoint. While the vulnerable plugins themselves do not contain a Property Oriented Programming (POP) chain, the presence of a POP chain in any other installed WordPress plugin or theme can be leveraged to achieve significant impact including file deletion, data exfiltration, or code execution.
Root Cause
The root cause is improper input validation in the ajax_handler function, which accepts and deserializes user-supplied data without verification. PHP's unserialize() function, when applied to untrusted input, allows attackers to instantiate arbitrary objects with controlled properties. The absence of input sanitization or allowlisting of expected object types creates the deserialization vulnerability.
Attack Vector
The attack vector is network-based and requires no user interaction or authentication. An attacker can craft a malicious HTTP request containing a serialized PHP payload targeting the AJAX handler endpoint. The payload would contain a serialized object designed to exploit a POP chain present on the target WordPress installation.
The exploitation flow involves:
- Identifying a vulnerable WordPress site running CozyStay or TinySalt
- Discovering available POP chains from other installed plugins/themes
- Crafting a serialized payload that chains gadgets to achieve the desired outcome
- Sending the malicious payload to the ajax_handler endpoint
- The server deserializes the payload, triggering the POP chain execution
Detection Methods for CVE-2024-13410
Indicators of Compromise
- Unexpected AJAX requests to CozyStay or TinySalt plugin endpoints containing serialized PHP data
- Web server logs showing POST requests with base64-encoded or serialized object strings in request bodies
- Unusual file system activity such as unexpected file deletions or modifications
- PHP error logs indicating failed deserialization attempts or unexpected object instantiation
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect serialized PHP objects in HTTP requests (patterns like O: followed by numeric values)
- Monitor WordPress AJAX endpoints for suspicious payloads containing serialized data structures
- Review web server access logs for anomalous POST requests to plugin-specific AJAX handlers
- Deploy intrusion detection systems (IDS) with signatures for PHP object injection attacks
Monitoring Recommendations
- Enable verbose logging on WordPress installations to capture AJAX request details
- Configure file integrity monitoring on critical WordPress directories and files
- Set up alerting for unexpected PHP process behaviors or file system operations
- Monitor for database queries or file operations originating from deserialization contexts
How to Mitigate CVE-2024-13410
Immediate Actions Required
- Update CozyStay plugin to a version newer than 1.7.0 that addresses this vulnerability
- Update TinySalt plugin to a version newer than 3.9.0 that addresses this vulnerability
- Audit installed plugins and themes for known POP chains that could be leveraged in exploitation
- Consider temporarily disabling the affected plugins if immediate patching is not possible
Patch Information
Security patches have been released by the plugin vendors. Refer to the ThemeForest CozyStay Changelog and ThemeForest TinySalt Changelog for the latest patched versions. Additional technical details are available in the Wordfence Vulnerability Report.
Workarounds
- Implement WAF rules to block requests containing serialized PHP objects to WordPress AJAX endpoints
- Restrict access to WordPress admin and AJAX functionality through IP allowlisting where feasible
- Remove unnecessary plugins and themes that may contain POP chains to reduce attack surface
- Consider implementing a security plugin that monitors and blocks suspicious deserialization attempts
# Example: Block serialized PHP object patterns in Apache .htaccess
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (O:\d+:) [NC,OR]
RewriteCond %{REQUEST_BODY} (O:\d+:) [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
