PHP Object Injection Vulnerability in WordPress Importer Plugin
CVE-2024-13889

7.2HIGH

Key Information:

Vendor: WordPress
Status: WordPress Importer
Vendor: CVE Published:; 26 March 2025

What is CVE-2024-13889?

The WordPress Importer plugin is vulnerable due to PHP Object Injection, allowing authenticated users with Administrator-level access to exploit deserialization in the 'maybe_unserialize' function. Although no direct PHP Object Pollution chain exists within the plugin, an attacker can leverage this vulnerability when other vulnerable plugins or themes with an existing POP chain are installed. This may lead to unauthorized actions like file deletion, sensitive data retrieval, or arbitrary code execution.

Affected Version(s)

WordPress Importer * <= 0.8.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wordpress-impo...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Feb 18, 2025

Credit

Francesco Carlucci