Primary

Context

WP All Import Pro PHP Object Injection Vulnerability in WordPress

Vulnerability

A PHP Object Injection vulnerability has been identified in the WP All Import Pro plugin for WordPress, affecting all versions through 4.9.7. The vulnerability arises from the deserialization of untrusted input from import files, allowing authenticated attackers with Administrator-level access to inject PHP objects. While the vulnerable software does not have a known proof-of-concept chain, the presence of such a chain through an additional plugin or theme could enable the attacker to delete arbitrary files, access sensitive data, or execute code.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP object injection, with potential consequences depending on the presence of a proof-of-concept chain via other plugins or themes.

Remediation

Users are advised to update the WP All Import Pro plugin to version 4.9.8 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WP All Import Pro PHP Object Injection Vulnerability in WordPress

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating