CVE-2024-13889

Summary

CVE-2024-13889 is a vulnerability affecting the WordPress Importer plugin up to version 0.8.3. This issue allows authenticated attackers with Administrator-level access to inject PHP Objects via the 'maybe_unserialize' function through deserialization of untrusted inputs. However, the vulnerability itself does not provide a means for attackers to perform actions like file deletion, data retrieval, or code execution. These capabilities depend on the presence of a POP (Return-Oriented Programming) chain in other plugins or themes installed on the target system. If such a POP chain exists, an attacker could potentially exploit it to gain more control over the WordPress installation.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.