CVE-2024-13789 – The ravpage WordPress plugin is vulnerable to P... (How to Fix)

Q: What is the severity of CVE-2024-13789?

CVE-2024-13789 has a CVSS score of 9.8 (CRITICAL). The ravpage WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the 'paramsv2' parameter. This allows unauthenticated attackers to inject PHP objects, but requires a separate plugin or theme with a POP chain to achieve actual impact. All WordPress sites using ravpage version 2.31 or earlier are affected.

📋 TL;DR

The ravpage WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the 'paramsv2' parameter. This allows unauthenticated attackers to inject PHP objects, but requires a separate plugin or theme with a POP chain to achieve actual impact. All WordPress sites using ravpage version 2.31 or earlier are affected.

💻 Affected Systems

Products:

WordPress ravpage plugin

Versions: All versions up to and including 2.31

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with ravpage plugin. Impact depends on presence of POP chain in other plugins/themes.

📦 What is this software?

Ravpage by Matiskiba

View all CVEs affecting Ravpage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

If combined with a POP chain from another plugin/theme, attackers could achieve remote code execution, delete arbitrary files, or retrieve sensitive data.

🟠

Likely Case

No impact unless another vulnerable plugin/theme with POP chain is installed, making this a conditional vulnerability.

🟢

If Mitigated

With proper plugin management and no POP chain present, the vulnerability has no practical impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires finding or creating a suitable POP chain from other installed components.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.31

Vendor Advisory: https://plugins.trac.wordpress.org/browser/ravpage/trunk/ravpage.php

Restart Required: No

Instructions:

1. Update ravpage plugin to latest version via WordPress admin panel. 2. Verify version is greater than 2.31. 3. No server restart required.

🔧 Temporary Workarounds

Disable ravpage plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate ravpage

Input validation via WAF

all

Block requests containing suspicious serialized data in paramsv2 parameter

🧯 If You Can't Patch

Remove ravpage plugin completely if not essential
Implement strict plugin management to prevent installation of components with POP chains

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > ravpage version. If version is 2.31 or lower, vulnerable.

Check Version:

wp plugin get ravpage --field=version

Verify Fix Applied:

Verify ravpage plugin version is greater than 2.31 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing serialized PHP objects in paramsv2 parameter
Unusual plugin activation/deactivation events

Network Indicators:

POST requests to WordPress endpoints with paramsv2 parameter containing serialized data

SIEM Query:

source="web_access" AND uri="*wp-admin*" AND paramsv2="*O:*"

📊 Metadata

CVE ID: CVE-2024-13789

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 3.39% exploit probability (87.1th percentile)

Published: February 20, 2025

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13789, you might also want to check these: