CMB2 Vulnerability – Authenticated PHP Object Injection – CVE-2024-1792 | WordPress Plugin Vulnerability Report

Plugin Name: CMB2

Key Information:

  • Software Type: Plugin
  • Software Slug: cmb2
  • Software Status: Active
  • Software Author: jtsternberg
  • Software Downloads: 4,198,199
  • Active Installs: 300,000
  • Last Updated: April 3, 2024
  • Patched Versions: 2.11.0
  • Affected Versions: <= 2.10.1

Vulnerability Details:

  • Name: CMB2 <= 2.10.1
  • Title: Authenticated PHP Object Injection
  • Type: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-1792
  • CVSS Score: 7.2
  • Publicly Published: April 3, 2024
  • Researcher: Francesco Carlucci
  • Description: The CMB2 plugin for WordPress has been identified with a PHP Object Injection vulnerability in versions up to 2.10.1. This vulnerability arises from the deserialization of untrusted input in the text_datetime_timestamp_timezone field, allowing authenticated attackers with contributor-level access or higher to inject a PHP Object. The exploitability of this vulnerability hinges on the presence of a Property-Oriented Programming (POP) chain, potentially introduced by other plugins or themes, which could lead to arbitrary file deletion, sensitive data retrieval, or code execution. It's important to note that CMB2 functions as a developer toolkit, necessitating metabox activation in the code for the vulnerability to be exploitable.


CMB2, a widely used WordPress plugin designed as a developer's toolkit for creating metaboxes and custom fields, has been found vulnerable to a significant security risk in versions up to and including 2.10.1. Designated as CVE-2024-1792, this vulnerability highlights the potential for PHP Object Injection, posing substantial risks to website integrity and data security. In response, the developers have released a patched version, 2.11.0, emphasizing the critical importance of maintaining up-to-date software to mitigate such vulnerabilities.

Detailed Overview:

Uncovered by security researcher Francesco Carlucci, CVE-2024-1792 showcases a nuanced vulnerability within CMB2, stemming from the deserialization of untrusted inputs. This vulnerability underscores the broader challenges faced by developers in securely handling user inputs and the potential cascading effects when combined with other vulnerable components on a WordPress site. The patched version 2.11.0 addresses this issue, reinforcing the plugin's defenses against such sophisticated attacks.

Advice for Users:

  • Immediate Action: Users of the CMB2 plugin should update to the patched version 2.11.0 immediately to secure their sites against CVE-2024-1792.
  • Check for Signs of Vulnerability: Administrators are advised to review their sites for unusual activities or unauthorized modifications, which may indicate exploitation.
  • Alternate Plugins: While the updated version addresses this specific vulnerability, users may consider evaluating other plugins that provide similar functionality, ensuring they also adhere to stringent security standards.
  • Stay Updated: The security landscape is ever-evolving; hence, keeping all WordPress components updated is paramount in safeguarding against known vulnerabilities and enhancing site functionality.


The swift remediation of CVE-2024-1792 in the CMB2 plugin serves as a poignant reminder of the ongoing imperative for timely software updates in the realm of digital security. For WordPress site owners, especially those managing small businesses, the proactive management of plugin updates is not merely a best practice but an essential defense against the myriad of cyber threats that pervade the internet. Embracing a vigilant security posture, characterized by regular updates and comprehensive monitoring, is paramount in ensuring a secure and reliable digital presence.


Detailed Report: 

In today's digital ecosystem, where websites serve as the nexus for businesses, personal expression, and community engagement, the integrity of these platforms is paramount. The recent revelation of a vulnerability within the CMB2 WordPress plugin, known as CVE-2024-1792, brings to light the ever-present challenge of maintaining this integrity. Authenticated PHP Object Injection, the nature of this vulnerability, not only underscores the vulnerability itself but also the broader narrative of the necessity for vigilance and timely updates in the realm of website security.

About the CMB2 Plugin:

CMB2, developed by jtsternberg and utilized by over 300,000 active installations, is esteemed for its robust functionality that aids developers in creating custom metaboxes and fields within WordPress. With a significant footprint, evidenced by its 4,198,199 downloads, CMB2 has become an indispensable tool for many in the WordPress community.

Vulnerability Details:

  • CVE: CVE-2024-1792
  • Vulnerability Title: Authenticated PHP Object Injection
  • Affected Versions: All versions up to and including 2.10.1
  • Patched Version: 2.11.0
  • CVSS Score: 7.2, indicating a high severity
  • Researcher: Francesco Carlucci
  • Description: The vulnerability originates from the improper handling of deserialized input within the text_datetime_timestamp_timezone field, allowing attackers with contributor-level access to inject malicious PHP Objects. The potential impact hinges on the presence of a POP chain, possibly introduced by other components on the site, which could lead to severe consequences such as data breaches, unauthorized code execution, or file deletions.

Risks and Impacts:

The implications of CVE-2024-1792 extend beyond mere technical glitches, posing substantial risks to website integrity, user data security, and overall trust in the affected platforms. Such vulnerabilities can be exploited to compromise sensitive information, manipulate website content, or even gain unauthorized control over the site, underscoring the critical nature of this security flaw.


In response to this vulnerability, the developers of CMB2 acted swiftly, releasing a patched version, 2.11.0, that addresses and rectifies the issue. Users of the plugin are urged to update to this latest version immediately to protect their sites from potential exploits.

Previous Vulnerabilities:

The history of vulnerabilities within CMB2, including CVE-2024-1792, serves as a testament to the ongoing battle against security threats in the digital domain. Each incident offers valuable lessons on the importance of proactive security measures and the need for continuous vigilance.


The resolution of CVE-2024-1792 within the CMB2 plugin is a stark reminder of the critical importance of staying abreast of security vulnerabilities and ensuring timely updates. For small business owners who manage WordPress sites, this incident underscores the necessity of a proactive approach to cybersecurity. Regularly updating plugins, themes, and the WordPress core, along with employing robust security measures, is essential in safeguarding digital assets against the ever-evolving landscape of cyber threats. In the digital age, the security of a website is not just a technical requirement but a foundational aspect of maintaining trust, functionality, and the overall health of one's digital presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

CMB2 Vulnerability – Authenticated PHP Object Injection – CVE-2024-1792 | WordPress Plugin Vulnerability Report FAQs

What is CVE-2024-1792?

CVE-2024-1792 is a security vulnerability identified in the CMB2 WordPress plugin. It pertains to an Authenticated PHP Object Injection issue that affects versions up to 2.10.1 of the plugin. This vulnerability allows attackers with contributor-level access or higher to exploit the plugin's handling of deserialized input, leading to potential unauthorized actions within the website.

The vulnerability is particularly concerning due to its potential to compromise website integrity and user data. It underscores the necessity for web administrators to update their CMB2 plugin to the patched version, 2.11.0, to mitigate the risks associated with this vulnerability.

Leave a Comment