Overview
CVE-2025-26763 discloses a critical vulnerability in the popular Responsive Slider by MetaSlider WordPress plugin, affecting all versions up to and including 3.94.0. This issue permits PHP Object Injection via deserialization of untrusted data, exposing affected websites to potential code execution and full system compromise.
Technical Details
The vulnerability is categorized under CWE-502: Deserialization of Untrusted Data. In affected versions, insufficient validation when handling serialized data allows attackers to inject specially crafted objects. These objects can manipulate application behavior or trigger execution paths leading to arbitrary code execution, depending on the availability of a Property-Oriented Programming (POP) chain.
The vulnerable code path does not require authentication or user interaction, making exploitation feasible via network-based attacks.
Severity and CVSS Score
This vulnerability is rated as Critical with a CVSS v3.1 base score of 9.8. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: High on confidentiality, integrity, and availability
Impact
If exploited, this vulnerability may allow attackers to:
- Execute arbitrary PHP code on the server
- Access or modify sensitive data
- Disrupt website functionality or availability
The severity is compounded by the plugin’s widespread usage in WordPress sites and the unauthenticated nature of the attack vector.
Mitigation
- Update Immediately: Upgrade to MetaSlider version 3.95.0 or later.
- Monitor for Indicators of Compromise: Review server logs and file integrity for any suspicious activity.
- Restrict Unnecessary Plugin Use: Deactivate or remove unused plugins to reduce attack surface.
References
Credits
Thanks to Le Ngoc Anh (Patchstack Alliance) for responsibly reporting this vulnerability.
Leave a Reply