CVE-2024-13921
Published: 20 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13921 is a PHP Object Injection vulnerability (CWE-502) affecting the Order Export & Order Import for WooCommerce plugin for WordPress in all versions up to and including 2.6.0. The issue arises from deserialization of untrusted input via the 'form_data' parameter, enabling authenticated attackers with Administrator-level access or higher to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-20.
Exploitation requires an authenticated attacker with at least Administrator privileges. While the vulnerability allows PHP Object injection, no known Proof-of-POP (Property-Oriented Programming) chain exists within the vulnerable plugin itself, rendering it ineffective in isolation. Impact only materializes if another plugin or theme on the target site provides a POP chain, potentially enabling actions such as arbitrary file deletion, sensitive data retrieval, or code execution, depending on the chain available.
Advisories and references, including Wordfence threat intelligence and WordPress plugin trac repositories, point to the vulnerable code in the export and import AJAX classes (class-export-ajax.php and class-import-ajax.php). A patch is indicated via changeset 3258567 in the plugin's trac, suggesting mitigation through updating to a version beyond 2.6.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a deserialization vulnerability in a public-facing WordPress plugin exploitable by authenticated admins to inject PHP objects, directly enabling exploitation of the application (T1190). Full impact depends on external POP chains for code execution or file ops, making other mappings (e.g., T1059, T1070) indirect.