CVE-2024-13889
Published: 26 March 2025
Summary
CVE-2024-13889 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through patching the WordPress Importer plugin directly eliminates the PHP Object Injection vulnerability from deserialization of untrusted input.
Restricting user-installed software prevents deployment of the vulnerable WordPress Importer plugin and other plugins or themes that could provide a POP chain.
Enforcing least functionality by disabling unnecessary plugins like the WordPress Importer removes the vulnerable deserialization capability from the system.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection via deserialization in public-facing WordPress plugin enables exploitation for code execution (and related impacts like file deletion/data access via POP chains).
NVD Description
The WordPress Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.8.3 via deserialization of untrusted input in the 'maybe_unserialize' function. This makes it possible for authenticated attackers, with Administrator-level access and…
more
above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Deeper analysisAI
CVE-2024-13889 is a PHP Object Injection vulnerability in the WordPress Importer plugin for WordPress, affecting all versions up to and including 0.8.3. The flaw stems from deserialization of untrusted input in the 'maybe_unserialize' function within the plugin's class-wp-import.php file, which enables injection of a PHP Object. It is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability to inject a PHP Object. However, no known Property-Oriented Programming (POP) chain exists in the vulnerable plugin itself, rendering it ineffective in isolation. Impact only occurs if another plugin or theme on the target site provides a POP chain, potentially allowing actions such as deleting arbitrary files, retrieving sensitive data, or executing code, depending on the specific chain.
References point to vulnerable code locations in class-wp-import.php at lines 602, 857, 891, and 975, with a patch applied in changeset 3261419 on the WordPress plugins trac repository.
Details
- CWE(s)