PHP Object Injection Vulnerability in WP All Import Pro by WordPress
CVE-2024-9664

7.2HIGH

Key Information:

Vendor: Soflyy
Status: WP All Import Pro
Vendor: CVE Published:; 7 February 2025

Summary

The WP All Import Pro plugin for WordPress is susceptible to a PHP Object Injection vulnerability affecting all versions up to and including 4.9.7. This vulnerability arises due to the deserialization of untrusted input from import files, allowing authenticated users with Administrator-level access to inject PHP Objects. While no known primitive object patterns (POP) chain is established within the vulnerable software, it is critical to note that the presence of a POP chain through additional plugins or themes may lead to potential risks, such as arbitrary file deletion, sensitive data exposure, or unauthorized code execution.

Affected Version(s)

WP All Import Pro * <= 4.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.wpallimport.com/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 7, 2025
Vulnerability Reserved
Oct 8, 2024

Credit

Francesco Carlucci