{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24989", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:51.017Z", "datePublished": "2026-03-25T16:14:36.190Z", "dateUpdated": "2026-03-26T15:40:08.362Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "affs", "product": "SUMO Affiliates Pro", "vendor": "FantasticPlugins", "versions": [{"changes": [{"at": "11.4.0", "status": "unaffected"}], "lessThanOrEqual": "< 11.4.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:18.488Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.<p>This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:36.190Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/affs/vulnerability/wordpress-sumo-affiliates-pro-plugin-11-4-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress SUMO Affiliates Pro plugin < 11.4.0 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:37:47.807264Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:40:08.362Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WordPress SUMO Affiliates Pro plugin < 11.4.0 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "FantasticPlugins", "product": "SUMO Affiliates Pro", "versions": [{"status": "affected", "changes": [{"at": "11.4.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 11.4.0"}], "packageName": "affs", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:18.488Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/affs/vulnerability/wordpress-sumo-affiliates-pro-plugin-11-4-0-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.<p>This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:36.190Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:37:47.807264Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-26T15:39:44.536Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-24989", "state": "PUBLISHED", "dateUpdated": "2026-03-25T16:14:36.190Z", "dateReserved": "2026-01-28T09:50:51.017Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:36.190Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0."}], "id": "CVE-2026-24989", "lastModified": "2026-03-26T16:16:05.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:41.040", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/affs/vulnerability/wordpress-sumo-affiliates-pro-plugin-11-4-0-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SUMO Affiliates Pro", "source": "cna", "vendor": "FantasticPlugins"}, "product": "sumo_affiliates_pro", "vendor": "fantasticplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:36:40.132735+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch by upgrading SUMO Affiliates Pro to version 11.4.0 or later.", "If an upgrade is not immediately possible, temporarily disable or deactivate the SUMO Affiliates Pro plugin to block the vulnerable functionality.", "Verify that no custom code or hooks are present that trigger the plugin\u2019s deserialization routine; if found, remove or sanitize them.", "Monitor the site for abnormal activity and, if feasible, apply web\u2011application firewall rules to block suspicious payloads."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the SUMO Affiliates Pro plugin from versions not equal to or higher than 11.4.0. The plugin is distributed by FantasticPlugins. Any installation prior to 11.4.0 is potentially vulnerable; there is no defined minimum version that provides the fix.", "description_and_impact": "The vulnerability is a deserialization of untrusted data that permits PHP object injection within the SUMO Affiliates Pro plugin. A malicious actor can craft a request that, when processed by the plugin, constructs arbitrary PHP objects, enabling code execution or unexpected behavior. The impact can include executing arbitrary code, modifying store data, or compromising the WordPress site, thereby violating confidentiality, integrity, and availability.", "risk_and_exploitability": "The attack vector appears to require access to the web interface that triggers the plugin\u2019s deserialization routine. The CVE does not publish a CVSS score or EPSS value, so the exact severity is not quantified in the data. However, because the weakness is a classic PHP Object Injection (CWE\u2011502) that can lead to remote code execution, the risk profile is high. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known exploited cases, but a high potential for exploitation remains. Consequently, prudent administrators should assume the risk until a patch is applied."}}}}, "created": "2026-03-25T21:34:25.609491+00:00", "updated": "2026-03-26T11:39:40.323924+00:00", "vendors": ["fantasticplugins", "fantasticplugins$PRODUCT$sumo_affiliates_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}