CVE-2024-12627
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform PHP object injection via AJAX requests. Attackers could potentially execute arbitrary code, delete files, or access sensitive data if a suitable POP chain exists through other installed plugins or themes. All WordPress sites using the Coupon X plugin version 1.3.5 or earlier are affected.
💻 Affected Systems
- Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or site defacement if a POP chain exists via other installed components.
Likely Case
Limited impact due to no known POP chain in the vulnerable plugin itself, but potential for file deletion or data exposure if vulnerable plugins/themes are present.
If Mitigated
No impact if plugin is patched or removed, or if Contributor-level user accounts are strictly controlled.
🎯 Exploit Status
Exploitation requires authenticated access and depends on availability of POP chains in other components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.3.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3219466/coupon-x-discount-pop-up/trunk/inc/class-cx-rest.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Coupon X' plugin. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is 1.3.6 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
WordPressRemove or restrict access to the capture_email AJAX action
Add to theme's functions.php: remove_action('wp_ajax_capture_email', 'cx_capture_email'); remove_action('wp_ajax_nopriv_capture_email', 'cx_capture_email');
🧯 If You Can't Patch
- Temporarily deactivate the Coupon X plugin until patched
- Implement strict access controls for Contributor-level users and monitor their activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find Coupon X plugin, verify version is 1.3.5 or earlier.Check Version:
wp plugin list --name='coupon-x-discount-pop-up' --field=versionVerify Fix Applied:
After update, verify plugin version shows 1.3.6 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=capture_email
- Multiple failed deserialization attempts in PHP logs
Network Indicators:
- Suspicious AJAX requests from Contributor-level user accounts to capture_email endpoint
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "capture_email" AND status=200