FluentSMTP WP Plugin Vulnerable to PHP Object Injection via Deserialization
CVE-2024-9511

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Fluentsmtp – WP Smtp Plugin With Amazon Ses, Sendgrid, Mailgun, Postmark, Google And Any Smtp Provider
Vendor
CVE Published:
23 November 2024

What is CVE-2024-9511?

The WP SMTP Plugin for WordPress, specifically FluentSMTP, is vulnerable to PHP Object Injection due to improper handling of deserialized input in the 'formatResult' function. This vulnerability affects all versions up to 2.2.82 and allows unauthenticated attackers to inject a PHP Object. While there is no known PHP Object Pollution (POP) chain in the vulnerable plugin itself, the presence of additional plugins or themes could enable attackers to exploit this vulnerability to delete arbitrary files, access sensitive data, or execute malicious code. A partial patch was introduced in version 2.2.82 to mitigate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider * <= 2.2.82

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/fluent-smtp/tr...
https://plugins.trac.wordpress.org/changeset/3194359/

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.