CVE-2024-9664
Published: 07 February 2025
Description
The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Security Summary
CVE-2024-9664 is a PHP Object Injection vulnerability (CWE-502) affecting the WP All Import Pro plugin for WordPress in all versions up to and including 4.9.7. The flaw stems from deserialization of untrusted input sourced from an import file, enabling the injection of a PHP Object. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-07.
Authenticated attackers possessing Administrator-level access or higher can exploit this vulnerability by crafting a malicious import file. This allows them to inject a PHP Object, though no known Proof-of-POP (Property-Oriented Programming) chain exists within the vulnerable plugin itself. If a POP chain is available through an additional plugin or theme on the target system, exploitation could escalate to arbitrary file deletion, retrieval of sensitive data, or remote code execution.
Mitigation guidance is available in advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/0099a8d7-827d-4215-9a2b-b3c268fb5e97?source=cve and the vendor's site at https://www.wpallimport.com/.
Details
- CWE(s)