CVE-2024-1772 in Make Your Blog Posts Accessible with Text to Speech Audio Plugininfo

Summary

by MITRE • 03/13/2024

The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2026

The Play.ht WordPress plugin vulnerability CVE-2024-1772 represents a critical security flaw that exploits PHP Object Injection through improper input validation. This vulnerability affects all versions up to and including 3.6.4 of the plugin, which is designed to convert blog posts into accessible audio content. The flaw occurs when the plugin deserializes untrusted data from the play_podcast_data post meta field, creating an attack surface that can be exploited by authenticated users with contributor-level privileges or higher. The vulnerability stems from the plugin's failure to sanitize or validate user-supplied data before processing it through PHP's unserialize() function, which is a well-documented weakness that falls under CWE-502.

The technical exploitation of this vulnerability allows authenticated attackers to inject malicious PHP objects into the system through the post meta data field. When the plugin processes this data, it performs deserialization without proper input validation, enabling attackers to craft specially formatted payloads that can execute arbitrary code on the target system. This type of vulnerability creates a pathway for privilege escalation and remote code execution, as the attacker can leverage the existing plugin functionality to manipulate the application's behavior. The attack vector is particularly concerning because it requires only contributor-level access, which is often granted to trusted users who should not have the ability to compromise the entire WordPress installation.

The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the capability to perform various malicious activities including arbitrary file deletion, data exfiltration, and complete system compromise. While no known POP (Point of Purchase) chain exists within the vulnerable plugin itself, the absence of such a chain does not mitigate the risk entirely, as attackers could potentially leverage the object injection vulnerability through additional plugins or themes installed on the same system. This creates a cascading risk where a single vulnerable plugin can serve as a stepping stone to more serious compromises. The vulnerability aligns with ATT&CK technique T1548.001 for privilege escalation and T1078 for valid accounts usage, making it particularly dangerous in environments where multiple plugins are installed.

Organizations should immediately update to the latest version of the Play.ht plugin where this vulnerability has been patched, as the fix typically involves implementing proper input validation and sanitization measures before deserialization occurs. Administrators should also consider implementing additional security controls such as input filtering at the web application firewall level and monitoring for unusual post meta data modifications. The vulnerability demonstrates the importance of secure coding practices in WordPress plugin development, particularly around handling user input and avoiding unsafe deserialization patterns. Security teams should conduct thorough audits of all installed plugins to identify similar vulnerabilities and ensure that proper security measures are in place to prevent unauthorized access to system resources and sensitive data.

Reservation

02/22/2024

Disclosure

03/13/2024

Moderation

accepted

CPE

ready

EPSS

0.00990

KEV

no

Activities

very low

Sector

Education

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!