CVE-2024-52411 CRITICAL

CVE-2024-52411: WordPress Advanced Personalization plugin <= 1.1.2 - PHP Object Injection vulnerability

Vendor Flowcraft

Product Advanced Personalization

Weakness CWE-502 · Unsafe deserialization

Published November 16, 2024

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in flowcraft Advanced Personalization personalization-by-flowcraft allows Object Injection.This issue affects Advanced Personalization: from n/a through <= 1.1.2.

Key dates

02Disclosure timeline

November 16, 2024 CVE published

April 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-52411

Related vulnerabilities

04Related CVE

CVE-2026-25524 OpenMage LTS's Phar Deserialization leads to Remote Code Execution CVE-2025-48459 Apache IoTDB: Deserialization of untrusted Data CVE-2025-54897 Microsoft SharePoint Remote Code Execution Vulnerability CVE-2025-42963 Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer ) CVE-2024-2006 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.7 - Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup