CVE-2024-1772
📋 TL;DR
The Play.ht WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the play_podcast_data post meta. This allows authenticated attackers with contributor-level access or higher to inject PHP objects. While no known POP chain exists in the plugin itself, if another plugin or theme provides one, attackers could delete files, steal data, or execute code.
💻 Affected Systems
- Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio WordPress plugin
📦 What is this software?
Play.ht by Hammadh
⚠️ Risk & Real-World Impact
Worst Case
If a POP chain exists via another plugin/theme, attackers could achieve remote code execution, delete critical files, or exfiltrate sensitive data from the WordPress site.
Likely Case
Attackers with contributor access can inject PHP objects, potentially causing application instability or limited data manipulation, but full exploitation requires a compatible POP chain from other components.
If Mitigated
With proper access controls limiting contributor accounts and monitoring, impact is reduced to potential application errors or limited data corruption.
🎯 Exploit Status
Exploitation requires contributor-level WordPress credentials and depends on availability of POP chains from other installed plugins/themes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.6.4
Vendor Advisory: https://plugins.trac.wordpress.org/browser/play-ht/trunk/includes/class-ajax-handler.php#L138
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 3.6.4.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Play.ht plugin until patched
wp plugin deactivate play-ht
Restrict contributor access
allLimit contributor accounts or elevate authentication requirements
🧯 If You Can't Patch
- Remove contributor-level user accounts or restrict their permissions
- Install web application firewall with PHP deserialization protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Play.ht plugin version 3.6.4 or lowerCheck Version:
wp plugin get play-ht --field=versionVerify Fix Applied:
Confirm plugin version is above 3.6.4 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress AJAX endpoints with serialized data
- Unexpected PHP errors related to object deserialization
- Suspicious activity from contributor-level accounts
Network Indicators:
- HTTP requests containing serialized PHP objects in post meta data
- Traffic to /wp-admin/admin-ajax.php with unusual parameters
SIEM Query:
source="wordpress.log" AND "play_podcast_data" AND ("unserialize" OR "PHP object")🔗 References
- https://plugins.trac.wordpress.org/browser/play-ht/trunk/includes/class-ajax-handler.php#L138
- https://www.wordfence.com/threat-intel/vulnerabilities/id/83a595b7-379c-4202-abdd-d8ba4a30c6a4?source=cve
- https://plugins.trac.wordpress.org/browser/play-ht/trunk/includes/class-ajax-handler.php#L138
- https://www.wordfence.com/threat-intel/vulnerabilities/id/83a595b7-379c-4202-abdd-d8ba4a30c6a4?source=cve
