CVE-2024-9664

HighRCE

Published: 07 February 2025

Published

07 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9664 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Soflyy Wp All Import. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the PHP object injection flaw in the WP All Import Pro plugin to prevent exploitation via deserialization.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables automated vulnerability scanning to identify the presence of the vulnerable WP All Import Pro plugin version affected by CVE-2024-9664.

SI-10 Information Input Validation partial match

prevent

Mandates validation of untrusted import file inputs to block malicious PHP object injection during deserialization processing.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

PHP object injection in public-facing WP plugin enables remote exploitation for RCE/file ops (T1190); resulting arbitrary code execution maps to command/scripting interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level…

access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Deeper analysisAI

CVE-2024-9664 is a PHP Object Injection vulnerability (CWE-502) affecting the WP All Import Pro plugin for WordPress in all versions up to and including 4.9.7. The flaw stems from deserialization of untrusted input sourced from an import file, enabling the injection of a PHP Object. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-07.

Authenticated attackers possessing Administrator-level access or higher can exploit this vulnerability by crafting a malicious import file. This allows them to inject a PHP Object, though no known Proof-of-POP (Property-Oriented Programming) chain exists within the vulnerable plugin itself. If a POP chain is available through an additional plugin or theme on the target system, exploitation could escalate to arbitrary file deletion, retrieval of sensitive data, or remote code execution.

Mitigation guidance is available in advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/0099a8d7-827d-4215-9a2b-b3c268fb5e97?source=cve and the vendor's site at https://www.wpallimport.com/.