Karl.Fail

Tag: wordpress

  • CVE-2025-26763: PHP Object Injection in MetaSlider Plugin for WordPress

    Overview

    CVE-2025-26763 discloses a critical vulnerability in the popular Responsive Slider by MetaSlider WordPress plugin, affecting all versions up to and including 3.94.0. This issue permits PHP Object Injection via deserialization of untrusted data, exposing affected websites to potential code execution and full system compromise.

    Technical Details

    The vulnerability is categorized under CWE-502: Deserialization of Untrusted Data. In affected versions, insufficient validation when handling serialized data allows attackers to inject specially crafted objects. These objects can manipulate application behavior or trigger execution paths leading to arbitrary code execution, depending on the availability of a Property-Oriented Programming (POP) chain.

    The vulnerable code path does not require authentication or user interaction, making exploitation feasible via network-based attacks.

    Severity and CVSS Score

    This vulnerability is rated as Critical with a CVSS v3.1 base score of 9.8. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Impact

    If exploited, this vulnerability may allow attackers to:

    • Execute arbitrary PHP code on the server
    • Access or modify sensitive data
    • Disrupt website functionality or availability

    The severity is compounded by the plugin’s widespread usage in WordPress sites and the unauthenticated nature of the attack vector.

    Mitigation

    • Update Immediately: Upgrade to MetaSlider version 3.95.0 or later.
    • Monitor for Indicators of Compromise: Review server logs and file integrity for any suspicious activity.
    • Restrict Unnecessary Plugin Use: Deactivate or remove unused plugins to reduce attack surface.

    References

    Credits

    Thanks to Le Ngoc Anh (Patchstack Alliance) for responsibly reporting this vulnerability.

  • CVE-2025-2780: Critical File Upload Vulnerability in Woffice Core Plugin

    Overview

    A critical vulnerability has been identified in the Woffice Core plugin for WordPress, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2780, this flaw enables authenticated users with Subscriber-level access or higher to upload arbitrary files to the server due to missing file type validation in the saveFeaturedImage function.

    Technical Details

    The issue arises from the lack of proper file type validation, which permits users with minimal privileges to upload files of any type. Classified under CWE-434: Unrestricted Upload of File with Dangerous Type, this vulnerability can be exploited to upload executable scripts that may lead to remote code execution (RCE) on the hosting server.

    The vulnerable function, saveFeaturedImage, fails to restrict file MIME types or sanitize file content. This creates an opportunity for threat actors to upload malicious payloads disguised as images or documents.

    Severity and CVSS Score

    This vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score reflects:

    • Network-based attack vector
    • Low complexity
    • No user interaction required
    • High impact on confidentiality, integrity, and availability

    Potential Impact

    Authenticated users, including Subscribers, could upload files that execute arbitrary code. This opens the door to complete server takeover, data theft, or lateral movement within the hosting environment. Since the attack can be automated, it represents a significant threat for any site using the vulnerable plugin version.

    Mitigation and Recommendations

    • Update Immediately: Upgrade to Woffice Core version 5.4.22 or later.
    • Restrict File Uploads: Use application-layer firewalls or additional plugins to limit file upload types.
    • Monitor Logs: Review recent uploads and access logs for suspicious activity.
    • Review User Roles: Ensure only necessary users have upload permissions.

    References

    Credits

    This vulnerability was responsibly disclosed by Friderika Baranyai.

  • CVE-2025-2798: Critical Authentication Bypass in Woffice CRM WordPress Theme

    Overview

    A critical security vulnerability has been discovered in the Woffice CRM WordPress theme, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2798, this flaw allows unauthenticated users to gain Administrator-level access through a misconfiguration in the user registration process.

    Technical Details

    The vulnerability is rooted in improper privilege management (CWE-269). Specifically, a misconfiguration involving excluded roles during registration enables attackers to exploit custom login forms. If these forms are in use, unauthenticated users may register accounts with Administrator privileges.

    Even more concerning, this issue can be compounded when combined with CVE-2025-2797, which may allow bypassing the user approval process if an Administrator is tricked into taking certain actions, such as clicking a malicious link.

    Severity and CVSS Score

    This vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This means:

    • Attack Vector: Network-based
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Impact

    The ability for unauthenticated users to register as Administrators poses a severe threat. Attackers could fully compromise the site by gaining control over its administrative features. The combination with other vulnerabilities further increases the risk, potentially enabling full site takeover with little to no user interaction.

    Mitigation Steps

    • Update Immediately: Upgrade to version 5.4.22 or later of the Woffice CRM theme.
    • Audit Custom Login Forms: Review and secure any custom user registration forms in use.
    • Review User Roles: Check for any suspicious administrator accounts created recently.
    • Educate Administrators: Train site admins to avoid clicking unknown or suspicious links.

    References

    Credits

    Thanks to Friderika Baranyai for responsibly disclosing this issue.

  • CVE-2025-2332: PHP Object Injection Vulnerability in WordPress Export Plugin

    Overview

    A critical vulnerability has been identified in the WordPress plugin Export All Posts, Products, Orders, Refunds & Users, affecting all versions up to and including 2.13. Tracked as CVE-2025-2332, this flaw exposes sites to PHP Object Injection due to unsafe deserialization of user input within the returnMetaValueAsCustomerInput function.

    Technical Details

    The vulnerability stems from a lack of input validation when data is passed to the returnMetaValueAsCustomerInput function. Specifically, it deserializes untrusted user input, which creates a condition known as Deserialization of Untrusted Data (CWE-502).

    This vulnerability can allow unauthenticated attackers to inject PHP objects into the application. Although the vulnerable plugin does not contain a known POP chain (Property-Oriented Programming chain), the impact becomes critical if another plugin or theme on the same site introduces such a chain. In such cases, an attacker could:

    • Delete arbitrary files
    • Access sensitive information
    • Execute arbitrary code on the server

    Severity and CVSS Score

    According to CVSS v3.1, this vulnerability has been scored 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score indicates:

    • Attack Vector (AV:N): Exploitable over the network
    • Attack Complexity (AC:L): Low complexity required
    • Privileges Required (PR:N): No authentication necessary
    • User Interaction (UI:N): No user interaction needed
    • Impact (C, I, A: H): High impact on confidentiality, integrity, and availability

    Impact Analysis

    By itself, CVE-2025-2332 cannot be exploited for arbitrary code execution due to the absence of a POP chain in the vulnerable plugin. However, in real-world environments where other plugins or themes introduce a POP chain, the potential damage becomes severe. This highlights the importance of defense-in-depth and avoiding unnecessary plugin installations.

    Mitigation and Recommendations

    • Update Immediately: Site administrators using versions ≤ 2.13 of this plugin should upgrade to a fixed version as soon as one is available.
    • Audit Plugins and Themes: Remove or replace any plugins or themes that may introduce exploitable POP chains.
    • Monitor Logs: Check for unexpected activity or unusual file changes.
    • Use Application Firewalls: Tools like Wordfence can help detect and block such injection attempts.

    References

    Credits

    This vulnerability was responsibly disclosed by Craig Smith.

  • CVE-2025-47582: Critical PHP Object Injection in WPBot Pro WordPress Chatbot Plugin

    Overview

    On May 19, 2025, a critical vulnerability was disclosed under the identifier CVE-2025-47582. This vulnerability affects the WPBot Pro WordPress Chatbot plugin by QuantumCloud, in all versions up to and including 12.7.0. It involves a PHP Object Injection issue due to the unsafe deserialization of untrusted data. This flaw allows attackers to execute arbitrary code remotely and has received a CVSS v3.1 base score of 9.8 (Critical).

    Technical Details

    The core of the vulnerability lies in how the plugin handles serialized data. It fails to properly validate input before deserialization, making it possible for attackers to inject malicious PHP objects. This type of issue is categorized as CWE-502: Deserialization of Untrusted Data, which is a common and severe programming flaw in PHP applications.

    Attackers can exploit this vulnerability to gain full control over the affected website, access sensitive information, alter functionality, or cause a complete service outage. The attack pattern aligns with CAPEC-586: Object Injection, highlighting the risks of allowing deserialization without strict controls.

    CVSS Breakdown

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network – Can be exploited remotely.
    • Attack Complexity: Low – No special conditions required.
    • Privileges Required: None – No authentication needed.
    • User Interaction: None – Fully automated attack possible.
    • Confidentiality, Integrity, Availability: High – Complete system compromise possible.

    Impacted Versions

    All versions of WPBot Pro WordPress Chatbot up to and including 12.7.0 are affected. If you are using this plugin, immediate action is strongly recommended.

    Discovery and Credit

    This vulnerability was responsibly disclosed by Tran Nguyen Bao Khanh from VCI – VNPT. The advisory has been published and verified by Patchstack.

    Mitigation Steps

    • Update the WPBot Pro plugin to a version newer than 12.7.0, if available.
    • If no patch is yet available, disable the plugin until a secure version is released.
    • Consider deploying a Web Application Firewall (WAF) to mitigate attack attempts targeting serialized inputs.

    Conclusion

    PHP Object Injection vulnerabilities pose severe security threats, especially when they are exposed over the network without requiring authentication. Developers must avoid using unserialize() on user-supplied input or must implement robust validation controls. Website owners should maintain a regular update strategy and monitor vulnerability disclosures relevant to their stack.

    For further information, consult the official advisory on Patchstack.

  • CVE-2025-47581: Critical PHP Object Injection in WordPress Events Calendar Registration & Tickets Plugin

    Overview

    On May 19, 2025, a critical vulnerability was published under the identifier CVE-2025-47581. This vulnerability affects the popular WordPress plugin Events Calendar Registration & Tickets by Elbisnero, up to version 2.6.0. The flaw is a PHP Object Injection vulnerability resulting from unsafe deserialization of untrusted data. It has received a CVSS v3.1 base score of 9.8 (Critical).

    Technical Details

    The vulnerability stems from improper handling of serialized input within the plugin’s codebase. Specifically, the plugin deserializes data without adequate validation or sanitation, allowing attackers to inject arbitrary PHP objects. This can be exploited to execute arbitrary code or manipulate application behavior.

    According to the Common Weakness Enumeration, this issue maps to CWE-502: Deserialization of Untrusted Data. The vulnerability is cataloged under the CAPEC-586: Object Injection attack pattern, highlighting the security implications of insecure deserialization techniques.

    The CVSS v3.1 vector string for this vulnerability is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This means:

    • Attack Vector (AV): Network – Can be exploited remotely.
    • Attack Complexity (AC): Low – Easily executed without complex conditions.
    • Privileges Required (PR): None – No authentication required.
    • User Interaction (UI): None – No user involvement necessary.
    • Confidentiality, Integrity, Availability Impact: High – Severe consequences on data and service integrity.

    Impacted Versions

    The vulnerability affects all versions of WordPress Events Calendar Registration & Tickets up to and including version 2.6.0. According to the vendor’s disclosure, newer versions may not be impacted, but users are strongly advised to verify and apply updates promptly.

    Discovery and Credits

    The vulnerability was discovered by Bonds from the Patchstack Alliance, a group dedicated to identifying and mitigating vulnerabilities in WordPress ecosystems. The issue was responsibly disclosed and publicly documented by Patchstack.

    Mitigation

    If you are using a vulnerable version (≤ 2.6.0) of the plugin:

    • Immediately update to a patched version, if available.
    • If no fix is available, consider disabling or replacing the plugin temporarily.
    • Employ a Web Application Firewall (WAF) to detect and block suspicious serialized data patterns.

    Conclusion

    This vulnerability is a stark reminder of the risks associated with deserialization and untrusted user input. Plugin developers should avoid unsafe PHP functions like unserialize() without proper controls and adopt secure coding practices. Website administrators must stay vigilant by keeping plugins up to date and monitoring for new disclosures regularly.

    For further details, see the official advisory on Patchstack.

  • CVE-2025-4389: Critical File Upload Vulnerability in Crawlomatic Plugin for WordPress

    Overview

    A critical vulnerability identified as CVE-2025-4389 affects the Crawlomatic Multipage Scraper Post Generator plugin for WordPress, up to and including version 2.6.8.1. Discovered by Friderika Baranyai and disclosed on May 16, 2025, this flaw enables unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE).

    Technical Details

    The vulnerability resides in the crawlomatic_generate_featured_image() function, which lacks proper file type validation. As a result, attackers can upload malicious files directly to the affected server without any authentication. This violates best practices in secure coding, particularly around file handling and input validation.

    This issue is categorized under CWE-434: Unrestricted Upload of File with Dangerous Type, which involves failure to restrict uploads to safe file types, opening the door for execution of hostile code on the server.

    CVSS Score and Impact

    The vulnerability has been rated CRITICAL with a CVSS v3.1 base score of 9.8. The vector string is:

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Key characteristics of this score include:

    • Exploitable remotely over a network (AV:N)
    • Low attack complexity (AC:L)
    • No privileges or user interaction required (PR:N, UI:N)
    • High impact on confidentiality, integrity, and availability (C:H, I:H, A:H)

    Impacted Versions

    All versions of the plugin up to and including 2.6.8.1 are affected. Users running these versions are highly encouraged to update or disable the plugin immediately.

    Mitigation and Recommendations

    Users should consult the plugin vendor for updates or security patches. In the absence of an immediate patch, disabling the plugin is advised. For reference and further reading, see:

    CISA’s SSVC analysis identifies the vulnerability as automatable with a total technical impact, further underlining the urgency of remediation efforts.

    Conclusion

    CVE-2025-4389 is a severe security risk for WordPress sites using the Crawlomatic plugin. The ability for unauthenticated users to upload files with no validation represents a significant attack vector. Site administrators must act swiftly to mitigate this threat.

  • CVE-2025-23914: Critical PHP Object Injection in Muzaara Google Ads Report Plugin

    Overview

    CVE-2025-23914 highlights a critical vulnerability in the Muzaara Google Ads Report plugin for WordPress, affecting versions up to and including 3.1. The issue allows PHP Object Injection through the deserialization of untrusted data, potentially enabling full system compromise.

    What is PHP Object Injection?

    PHP Object Injection is a security vulnerability that occurs when user-controllable data is passed to the unserialize() function in PHP. This allows attackers to inject maliciously crafted objects, leading to the execution of code, data manipulation, or even complete application takeover—especially if vulnerable classes with magic methods are present.

    This flaw is categorized under CWE-502: Deserialization of Untrusted Data and maps to CAPEC-586: Object Injection.

    Technical Details

    The plugin fails to properly validate or sanitize serialized data inputs, exposing an unsafe deserialization vector. Since this vulnerability:

    • Requires no authentication
    • Is exploitable over the network
    • Needs no user interaction

    It presents an exceptionally high risk for WordPress site operators.

    CVSS Score and Severity

    The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical):

    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    This indicates a high-impact vulnerability that can be exploited remotely with minimal effort.

    SSVC Assessment

    Based on the Stakeholder-Specific Vulnerability Categorization (SSVC) by CISA, the flaw is:

    • Not yet known to be exploited
    • Highly automatable
    • Technically impactful to a total extent

    These indicators underscore the urgent need for immediate remediation.

    Mitigation

    Administrators using the Muzaara Google Ads Report plugin should:

    • Immediately update or disable the plugin if no patch is available
    • Audit their WordPress installation for suspicious serialized payloads
    • Implement WAF rules to block known deserialization exploits

    References

    Due to the high severity and ease of exploitation, organizations should treat this vulnerability as a top-priority fix.