Login Sign Up

CVE-2024-9664

7.2 HIGH
Deserialization

📋 TL;DR

The WP All Import Pro plugin for WordPress is vulnerable to PHP object injection through deserialization of untrusted import files. This allows authenticated attackers with Administrator privileges to inject malicious PHP objects. If a POP chain exists via other installed plugins or themes, this could lead to file deletion, data theft, or remote code execution.

💻 Affected Systems

Products:
  • WP All Import Pro WordPress Plugin
Versions: All versions up to and including 4.9.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Administrator-level access and import functionality usage. Risk increases with additional plugins/themes that provide POP chains.

📦 What is this software?

Wp All Import by Soflyy

View all CVEs affecting Wp All Import →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or website defacement if a suitable POP chain exists in the environment.

🟠

Likely Case

Limited impact due to requirement for Administrator access and specific POP chain dependencies, but potential for data manipulation or limited file operations.

🟢

If Mitigated

Minimal impact with proper access controls, regular patching, and limited plugin installations reducing POP chain availability.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires Administrator access and depends on available POP chains from other installed components.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.9.8 or later

Vendor Advisory: https://www.wpallimport.com/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP All Import Pro. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from vendor and upload via FTP.

🔧 Temporary Workarounds

Disable Import Functionality

all

Temporarily disable the import feature until patching is possible

Restrict Administrator Access

all

Limit Administrator accounts to trusted personnel only

🧯 If You Can't Patch

  • Remove or disable the WP All Import Pro plugin entirely
  • Implement strict file upload validation and monitoring for import activities

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins > Installed Plugins

Check Version:

wp plugin list --name='WP All Import Pro' --field=version

Verify Fix Applied:

Confirm WP All Import Pro version is 4.9.8 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual import file uploads by Administrator users
  • PHP deserialization errors in web server logs
  • Unexpected file operations following imports

Network Indicators:

  • Large or unusual file uploads to import endpoints
  • POST requests to import functionality with serialized data

SIEM Query:

source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "import") AND (user_agent CONTAINS "serialize" OR post_data CONTAINS "O:")

📊 Metadata

CVE ID: CVE-2024-9664
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
EPSS Score: 0.98% exploit probability (76.3th percentile)
Published: February 7, 2025
Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9664, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)