CVE-2025-30618

| EUVD-2025-18549 CRITICAL
2025-06-17 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18549
CVE Published
Jun 17, 2025 - 15:15 nvd
CRITICAL 9.8

Tags

Deserialization Woocommerce PHP

Description

Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce allows Object Injection. This issue affects Rapyd Payment Extension for WooCommerce: from n/a through 1.2.0.

Analysis

Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.

Technical Context

The vulnerability stems from improper deserialization of untrusted data (CWE-502), a common PHP issue where user-controlled input is deserialized using functions like unserialize() without proper validation. The Rapyd Payment Extension for WooCommerce integrates payment processing into WooCommerce e-commerce platforms and likely deserializes payment response data, webhook payloads, or session data from the Rapyd payment gateway or user input. PHP object injection via unserialize() can lead to exploitation of PHP object chains (magic methods like __wakeup(), __destruct(), __toString()) to achieve arbitrary code execution. The affected product is identified via CPE as a WooCommerce plugin from vendor 'yuliaz' affecting versions from an unspecified baseline through 1.2.0, suggesting the vulnerability may have existed since initial release.

Affected Products

Rapyd Payment Extension for WooCommerce (1.2.0 and all prior versions (exact starting version not specified in available data))

Remediation

- action: Immediate Patching; description: Update the Rapyd Payment Extension for WooCommerce to a version greater than 1.2.0 (specific patched version not provided in available references; check WordPress Plugin Directory or yuliaz repository for 1.2.1 or later). - action: Vendor Advisory Check; description: Consult official yuliaz/Rapyd security advisories or the WordPress Plugin Directory security page for CVE-2025-30618 to confirm patched version availability and deployment timeline. - action: Temporary Mitigation (if patch unavailable); description: Disable the Rapyd Payment Extension if not immediately needed, or implement Web Application Firewall (WAF) rules to block suspicious deserialization payloads. However, this is not a reliable long-term mitigation for a network-accessible vulnerability. - action: Code-Level Remediation; description: Replace all instances of unserialize() with secure alternatives: use json_decode() for JSON data, or use safe-by-default deserialization libraries. Validate and sanitize all payment data before processing. - action: Input Validation; description: Implement strict input validation on all webhook endpoints and payment response handlers; reject non-expected data types and structures before any deserialization occurs.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-30618 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy