CVE-2024-9511

Name of the Vulnerable Software and Affected Versions FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider versions prior to 2.2.82

Description The FluentSMTP plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input in the formatResult function. This allows unauthenticated attackers to inject a PHP object. No known POP chain is present in the vulnerable software, but if a POP chain is present via an additional plugin or theme, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. The vulnerability was partially patched in version 2.2.82. Over 300,000 WordPress sites are potentially exposed to this issue.

Recommendations For versions prior to 2.2.82, update to a version that includes the partial patch, such as version 2.2.82, to mitigate the risk of PHP Object Injection. As a temporary workaround, consider restricting access to the formatResult function until a more comprehensive patch is available. Additionally, users should be cautious of installing additional plugins or themes that could introduce a POP chain, exacerbating the vulnerability. At the moment, there is no information about a newer version that contains a complete fix for this vulnerability.