CVE-2024-9511
Published: 23 November 2024
Summary
CVE-2024-9511 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The FluentSMTP WordPress plugin, which integrates with providers such as Amazon SES, SendGrid, MailGun, Postmark, and Google SMTP, is affected by a PHP Object Injection vulnerability (CWE-502) in all versions through 2.2.82. The flaw stems from unsafe deserialization of untrusted input inside the formatResult function of the Logger.php component, allowing an attacker to supply a serialized PHP object without authentication.
An unauthenticated remote attacker can exploit the issue over the network by sending crafted input that triggers object injection. Although no POP chain exists in the plugin itself, the presence of an additional vulnerable plugin or theme on the same site could enable the attacker to delete arbitrary files, access sensitive data, or achieve remote code execution, consistent with the CVSS 9.8 rating.
The Wordfence advisory and WordPress plugin trac changesets indicate that the vulnerability received a partial fix in version 2.2.82, with further remediation applied in subsequent changesets 3194359 and 3194555; administrators are advised to update immediately and verify that no other plugins introduce usable POP chains.
EPSS for this CVE rose from a low baseline to a peak of 0.0787 on 2025-12-11 before receding to the current value of 0.0263, indicating a noticeable increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50316
Vulnerability details
The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in…
more
the 'formatResult' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. The vulnerability was partially patched in version 2.2.82.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.