What is the CVSS score of CVE-2025-47582?

CVE-2025-47582 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of WPBot Pro are affected by CVE-2025-47582?

WPBot Pro WordPress Chatbot versions up to 12.7.0 contains a critical remote code execution vulnerability affecting unauthenticated users.

How to fix or mitigate CVE-2025-47582?

Within 24 hours: Identify all WordPress instances running WPBot Pro and document current installed versions. Within 7 days: Disable or uninstall WPBot Pro plugin immediately if version 12.7.0 or earlier is detected; no patched version currently available from vendor. Within 30 days: Monitor Patchstack and vendor advisories for security updates; evaluate alternative chatbot solutions or implement Web Application Firewall (WAF) rules blocking requests to WPBot Pro endpoints if continued use is necessary pending vendor patch release.

WPBot Pro CVE-2025-47582

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-05-19 audit@patchstack.com

WordPress Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 20:13 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Generated

Mar 28, 2026 - 18:42 vuln.today

CVE Published

May 19, 2025 - 18:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.

AnalysisAI

PHP object injection in WPBot Pro WordPress Chatbot versions up to 12.7.0 allows remote unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization of user-supplied data. The vulnerability achieves complete system compromise with CVSS 9.8 critical severity (network accessible, no authentication required, low complexity). No active exploitation confirmed in CISA KEV, but EPSS score of 0.37% (59th percentile) indicates moderate exploitation likelihood. Patchstack database confirms the vulnerability with technical details available to researchers.

Technical ContextAI

This is a classic PHP object injection vulnerability (CWE-502) resulting from unsafe deserialization of untrusted data in the WPBot Pro WordPress plugin. PHP's unserialize() function can instantiate arbitrary objects when processing attacker-controlled serialized strings, enabling exploitation through magic methods (__wakeup, __destruct, __toString) or existing gadget chains in WordPress core or other plugins. The chatbot plugin likely deserializes user input from HTTP requests (POST/GET parameters, cookies, or AJAX endpoints) without proper validation or sanitization. WordPress plugins are common targets for deserialization attacks due to widespread use of serialized data for storing configuration, session data, and inter-plugin communication. Successful exploitation requires identifying accessible deserialization entry points and available POP (Property-Oriented Programming) chains in the WordPress environment.

Affected ProductsAI

QuantumCloud WPBot Pro WordPress Chatbot plugin versions from earliest available release through version 12.7.0 are confirmed vulnerable. The advisory from Patchstack (https://patchstack.com/database/wordpress/plugin/wpbot-pro/) provides technical details. CPE data not provided in NVD listing, but affects WordPress installations running the commercial WPBot Pro plugin as identified by slug 'wpbot-pro'. Both free and premium versions may be affected depending on QuantumCloud's product structure.

RemediationAI

Upgrade WPBot Pro WordPress Chatbot to version 12.7.1 or later if available from QuantumCloud-verify current patched version at the vendor's official site or WordPress plugin repository, as the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpbot-pro/) confirms 12.7.0 as the last vulnerable version but does not specify the exact fix release. If no patch is available or immediate upgrade is not feasible, implement compensating controls: disable the WPBot Pro plugin entirely until patched (eliminates attack surface but removes chatbot functionality), restrict wp-admin and AJAX endpoint access to trusted IP addresses via WAF rules or .htaccess (reduces remote attack surface but breaks chatbot for legitimate users outside IP whitelist), deploy ModSecurity or similar WAF with rules detecting PHP serialized object patterns in POST bodies and cookies (may cause false positives with legitimate WordPress serialized data). Monitor WordPress access logs for unusual POST requests to wp-admin/admin-ajax.php with action parameters related to wpbot. All compensating controls have operational trade-offs-patching is the only complete mitigation.