CVE-2024-10936 – The String Locator WordPress plugin is vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-10936?

CVE-2024-10936 has a CVSS score of 8.8 (HIGH). The String Locator WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input, allowing unauthenticated attackers to inject malicious PHP objects. While no known POP chain exists in the plugin itself, if another plugin or theme provides one, attackers could delete files, steal data, or execute code. This affects all WordPress sites using String Locator version 2.6.6 or earlier.

📋 TL;DR

The String Locator WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input, allowing unauthenticated attackers to inject malicious PHP objects. While no known POP chain exists in the plugin itself, if another plugin or theme provides one, attackers could delete files, steal data, or execute code. This affects all WordPress sites using String Locator version 2.6.6 or earlier.

💻 Affected Systems

Products:

WordPress String Locator Plugin

Versions: All versions up to and including 2.6.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator to perform search and replace action to trigger exploit

📦 What is this software?

String Locator by Instawp

View all CVEs affecting String Locator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if a POP chain exists via another plugin/theme

🟠

Likely Case

Denial of service or limited data exposure due to lack of known POP chain in the vulnerable plugin

🟢

If Mitigated

No impact if plugin is updated or disabled, or if no POP chain exists in the environment

🌐 Internet-Facing: HIGH - Unauthenticated attack vector affecting publicly accessible WordPress sites

🏢 Internal Only: MEDIUM - Requires administrator action to trigger, reducing internal-only exposure

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires administrator action and depends on presence of POP chain from other plugins/themes

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.7 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3222952/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find String Locator plugin. 4. Click 'Update Now' if available, or manually update to version 2.6.7+. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable String Locator Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate string-locator

🧯 If You Can't Patch

Restrict administrator access to trusted users only
Monitor for suspicious search/replace actions in WordPress logs

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → String Locator version number

Check Version:

wp plugin get string-locator --field=version

Verify Fix Applied:

Confirm String Locator version is 2.6.7 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual search/replace actions in WordPress admin logs
PHP deserialization errors in web server logs

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with serialized data

SIEM Query:

source="wordpress" AND (event="search_replace" OR message="*unserialize*")

📊 Metadata

CVE ID: CVE-2024-10936

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 29.15% exploit probability (96.5th percentile)

Published: January 21, 2025

Last Updated: February 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10936, you might also want to check these: