What is the CVSS score of CVE-2025-49380?

CVE-2025-49380 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of WooCommerce Vehicle Parts Finder are affected by CVE-2025-49380?

CVE-2025-49380 is a critical remote code execution vulnerability in WooCommerce Vehicle Parts Finder plugin (versions ≤3.7) that allows unauthenticated attackers to execute arbitrary code on affected…

How to fix or mitigate CVE-2025-49380?

Within 24 hours: identify all WordPress instances using WooCommerce Vehicle Parts Finder plugin and document affected versions via wp-cli or manual plugin audit. Within 7 days: immediately deactivate and remove WooCommerce Vehicle Parts Finder plugin from all production environments pending vendor patch release; deploy Web Application Firewall (WAF) rules to block exploit attempts targeting the plugin's serialization endpoints as interim mitigation. Within 30 days: monitor Patchstack and WooCommerce official advisories for patched version release; implement allowlist controls restricting plugin functionality during patched version deployment; conduct log forensics for indicators of exploitation (suspicious POST requests to plugin endpoints, serialized object patterns in access logs).

WooCommerce Vehicle Parts Finder CVE-2025-49380

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-10-22 audit@patchstack.com

WordPress Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 20:22 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 16:00 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.

AnalysisAI

PHP object injection in WooCommerce Vehicle Parts Finder plugin versions up to 3.7 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication or user interaction. Reported by Patchstack audit team, this represents a critical pre-authentication vulnerability in WordPress e-commerce environments. EPSS data unavailable; not currently listed in CISA KEV, suggesting limited widespread exploitation at time of disclosure.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a class of flaws where applications accept serialized objects from untrusted sources without proper validation. In PHP, the unserialize() function can instantiate arbitrary classes and trigger magic methods (__wakeup, __destruct, __toString) during object reconstruction. The WooCommerce Vehicle Parts Finder plugin (woo-vehicle-parts-finder), designed for automotive parts catalogs in WordPress/WooCommerce environments, processes serialized data through an attack surface accessible to unauthenticated remote users. The plugin integrates with WooCommerce (WordPress e-commerce framework) to filter vehicle-specific product listings. PHP object injection becomes exploitable when an attacker controls serialized input and the application contains vulnerable classes (POP chains) that can be chained to achieve code execution, file manipulation, or SQL injection.

Affected ProductsAI

WooCommerce Vehicle Parts Finder (woo-vehicle-parts-finder) plugin for WordPress, versions from initial release through 3.7 inclusive. This affects WordPress sites running WooCommerce with the vehicle parts finder functionality installed. The vulnerability exists in the plugin's PHP codebase where user-controllable input reaches deserialization functions. Vendor advisory available at Patchstack database: https://patchstack.com/database/Wordpress/Plugin/woo-vehicle-parts-finder/vulnerability/wordpress-woocommerce-vehicle-parts-finder-plugin-3-7-php-object-injection-vulnerability

RemediationAI

Upgrade WooCommerce Vehicle Parts Finder plugin to version 3.8 or later if available (verify current release via WordPress.org plugin repository or vendor site, as Patchstack reference indicates 3.7 is vulnerable but does not explicitly confirm fix version). Access WordPress admin dashboard, navigate to Plugins section, and update woo-vehicle-parts-finder immediately. If patched version is not yet released or cannot be immediately deployed, implement these compensating controls with noted trade-offs: (1) Deactivate and delete the plugin until patch is available - eliminates attack surface but removes vehicle parts filtering functionality from WooCommerce storefront, impacting user experience for automotive retailers. (2) Restrict plugin file access via web application firewall rules blocking direct requests to /wp-content/plugins/woo-vehicle-parts-finder/ endpoints that accept serialized data - requires identifying specific vulnerable endpoints (likely AJAX handlers or REST API routes) and may cause legitimate functionality breakage requiring testing. (3) Deploy WordPress security plugin with virtual patching capability (Wordfence, Sucuri) configured to block PHP object injection patterns in POST/GET parameters - adds latency and may generate false positives. Confirm fix deployment by reviewing plugin changelog and testing deserialization attack vectors in staging environment.