CVE-2025-28961

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

Tags

WordPress PHP Deserialization

Description

Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.

Analysis

Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.

Technical Context

The exact-links URL shortener plugin for WordPress improperly deserializes untrusted data, likely via user-supplied input in GET/POST parameters or stored data retrieved from the database. PHP object injection vulnerabilities (CWE-502: Deserialization of Untrusted Data) occur when the unserialize() function processes attacker-controlled strings without prior validation or use of the safe options_allowed_classes parameter. This allows instantiation of arbitrary classes available in the WordPress/plugin scope, potentially triggering dangerous magic methods (__wakeup, __destruct, __toString) that can read files, write to the filesystem, or execute code depending on what gadget chains are available in loaded libraries.

Affected Products

The exact-links WordPress plugin by Md Yeasin Ul Haider is affected in versions 3.0.7 and all earlier versions (no specified lower bound). The plugin is available on the WordPress plugin repository and is identified by the Patchstack CVE record. CPE information is not formally issued, but the affected product is wordpress-url-shortener (plugin slug: exact-links). Users can verify their installed version via the WordPress admin dashboard under Plugins.

Remediation

Update the exact-links plugin to a patched version released after 3.0.7. Check the official WordPress plugin repository or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/exact-links/vulnerability/wordpress-url-shortener-3-0-7-php-object-injection-vulnerability?_s_id=cve) for the latest available version and patch release notes. If no patched version is immediately available, disable or remove the exact-links plugin until an update is released by the maintainer. Additionally, review WordPress error logs and any custom deserialization handling in active plugins for similar patterns; consider using WordPress security plugins to monitor for suspicious serialized object activity.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-28961 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy