CVE-2024-13899
Published: 22 February 2025
Summary
CVE-2024-13899 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Misterpah Mambo Joomla Importer. Its CVSS base score is 7.2 (High).
Operationally, ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents PHP Object Injection by requiring validation of untrusted inputs like the $data parameter prior to deserialization in the fImportMenu function.
Mandates timely identification, reporting, and remediation of flaws such as the deserialization vulnerability in the Mambo Importer plugin, including patching or removal.
Restricts user-installed software like vulnerable WordPress plugins, preventing deployment of the Mambo Importer and mitigating the risk of PHP Object Injection.
NVD Description
The Mambo Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0 via deserialization of untrusted input via the $data parameter in the fImportMenu function. This makes it possible for authenticated attackers,…
more
with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Deeper analysisAI
CVE-2024-13899 is a PHP Object Injection vulnerability (CWE-502) affecting the Mambo Importer plugin for WordPress in all versions up to and including 1.0. The issue arises from deserialization of untrusted input via the $data parameter in the fImportMenu function, enabling authenticated attackers with Administrator-level access or higher to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), rated as High severity.
Exploitation requires an authenticated attacker with elevated privileges, such as Administrator access. While the injection itself is possible, the vulnerable plugin lacks a known PHP Object Injection (POP) chain, resulting in no direct impact unless another plugin or theme on the site provides a POP chain. In such cases, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code, depending on the capabilities of the available POP chain.
Advisories from sources like Wordfence detail the vulnerability in their threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d448c2-5acc-47f8-8e86-9ef10fa01513?source=cve), and the affected code is visible in the plugin's source at line 45 of mamboImporter.php (https://plugins.trac.wordpress.org/browser/mambo-joomla-importer/trunk/mamboImporter.php#L45). No patches or specific mitigation steps are outlined in the available details, emphasizing the dependency on external POP chains for impact.
Details
- CWE(s)