CVE-2024-13889
Published: 26 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2024-13889 is a PHP Object Injection vulnerability in the WordPress Importer plugin for WordPress, affecting all versions up to and including 0.8.3. The flaw stems from deserialization of untrusted input in the 'maybe_unserialize' function within the plugin's class-wp-import.php file, which enables injection of a PHP Object. It is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability to inject a PHP Object. However, no known Property-Oriented Programming (POP) chain exists in the vulnerable plugin itself, rendering it ineffective in isolation. Impact only occurs if another plugin or theme on the target site provides a POP chain, potentially allowing actions such as deleting arbitrary files, retrieving sensitive data, or executing code, depending on the specific chain.
References point to vulnerable code locations in class-wp-import.php at lines 602, 857, 891, and 975, with a patch applied in changeset 3261419 on the WordPress plugins trac repository.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
PHP object injection via deserialization in public-facing WordPress plugin enables exploitation for code execution (and related impacts like file deletion/data access via POP chains).