CVE-2024-13899

CVE-2024-13899 is a PHP Object Injection vulnerability (CWE-502) affecting the Mambo Importer plugin for WordPress in all versions up to and including 1.0. The issue arises from deserialization of untrusted input via the $data parameter in the fImportMenu function, enabling authenticated attackers with Administrator-level access or higher to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), rated as High severity.

Exploitation requires an authenticated attacker with elevated privileges, such as Administrator access. While the injection itself is possible, the vulnerable plugin lacks a known PHP Object Injection (POP) chain, resulting in no direct impact unless another plugin or theme on the site provides a POP chain. In such cases, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code, depending on the capabilities of the available POP chain.

Advisories from sources like Wordfence detail the vulnerability in their threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d448c2-5acc-47f8-8e86-9ef10fa01513?source=cve), and the affected code is visible in the plugin's source at line 45 of mamboImporter.php (https://plugins.trac.wordpress.org/browser/mambo-joomla-importer/trunk/mamboImporter.php#L45). No patches or specific mitigation steps are outlined in the available details, emphasizing the dependency on external POP chains for impact.