CVE-2024-13636 - Vulnerability Details

Description

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-24926. Reason: This candidate is a reservation duplicate of CVE-2024-24926. Notes: All CVE users should reference CVE-2024-24926 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: 2025-02-18

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4808	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-24926. Reason: This candidate is a reservation duplicate of CVE-2024-24926. Notes: All CVE users should reference CVE-2024-24926 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

No reference.

History

Mon, 24 Feb 2025 23:15:00 +0000

Type	Values Removed	Values Added
Title	Brooklyn Theme <= 4.9.9.2 - Authenticated (Subscriber+) PHP Object Injection in ot_decode
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 24 Feb 2025 22:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-502
CPEs	cpe:2.3:a:unitedthemes:brooklyn::::::wordpress::*
Vendors & Products	Unitedthemes Unitedthemes brooklyn
References	https://themeforest.net/item/brooklyn-responsive-multipurpose-wordpress-theme/6221179 https://unitedthemes.com/changelog/ https://www.wordfence.com/threat-intel/vulnerabilities/id/50cc3bd5-91ee-4b57-8159-60dd700375f3?source=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 24 Feb 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description	The Brooklyn theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.9.2 via deserialization of untrusted input in the ot_decode function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-24926. Reason: This candidate is a reservation duplicate of CVE-2024-24926. Notes: All CVE users should reference CVE-2024-24926 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Fri, 21 Feb 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Unitedthemes Unitedthemes brooklyn
CPEs		cpe:2.3:a:unitedthemes:brooklyn::::::wordpress::*
Vendors & Products		Unitedthemes Unitedthemes brooklyn

Tue, 18 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 18 Feb 2025 11:15:00 +0000

Type	Values Removed	Values Added
Description		The Brooklyn theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.9.2 via deserialization of untrusted input in the ot_decode function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title		Brooklyn Theme <= 4.9.9.2 - Authenticated (Subscriber+) PHP Object Injection in ot_decode
Weaknesses		CWE-502
References		https://themeforest.net/item/brooklyn-responsive-multipurpose-wordpress-theme/6221179 https://unitedthemes.com/changelog/ https://www.wordfence.com/threat-intel/vulnerabilities/id/50cc3bd5-91ee-4b57-8159-60dd700375f3?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: REJECTED

Assigner: Wordfence

Published: 2025-02-18T11:10:18.901Z

Updated: 2025-02-24T22:11:30.549Z

Reserved: 2025-01-22T20:25:16.090Z

Link: CVE-2024-13636

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-02-18T11:15:10.143

Modified: 2025-02-24T22:15:11.277

Link: CVE-2024-13636

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object