cleantalk
Vulnerabilities and Security Researches

String locator, CVE-2024-10936

CVE, Research URL

CVE-2024-10936

Home page URL

Security reports for String locator

Application

String locator

Published on
Jan 21, 2025
Research Description
The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.
Affected versions
Min -, max 2.6.7.
Status
vulnerable
Previous vulnerability researches
String locator , Aug 13, 2025
String locator (CVE-2022-0493) , Jun 06, 2024
String locator (CVE-2022-2434) , Jun 06, 2024
String locator (CVE-2023-6987) , Aug 24, 2024
String locator (CVE-2024-10936) , Jan 22, 2025
New vulnerability
GiveWP – Donation Plugin and Fundraising Platform (CVE-2025-7221) , Aug 29, 2025
Add Code To Head (CVE-2025-48314) , Aug 29, 2025
130+ Widgets | Best Addons For Elementor – FREE (CVE-2025-58195) , Aug 29, 2025
WP Bulk Delete (CVE-2025-58192) , Aug 29, 2025
Responsive Mobile-Friendly Tooltip (CVE-2025-48316) , Aug 29, 2025