What is the CVSS score of CVE-2025-49386?

CVE-2025-49386 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Scott Reilly Preserve Code Formatting are affected by CVE-2025-49386?

WordPress plugin Preserve Code Formatting (v4.0.1 and earlier) contains a critical PHP object injection flaw allowing authenticated low-privilege users (Contributor accounts and above) to execute…

How to fix or mitigate CVE-2025-49386?

Within 24 hours: Disable or uninstall Preserve Code Formatting plugin v4.0.1 and earlier across all WordPress instances; audit user accounts for unexpected Contributor-level or higher privileges. Within 7 days: Verify no malicious code execution occurred by reviewing web application firewall logs, PHP error logs, and WordPress audit logs for serialized object deserialization attempts; review database for unauthorized modifications. Within 30 days: Contact plugin vendor for patch status; identify alternative code formatting solutions; implement Web Application Firewall (WAF) rules to block PHP object injection patterns as interim protection until patched version becomes available.

Scott Reilly Preserve Code Formatting CVE-2025-49386

HIGH

Deserialization of Untrusted Data (CWE-502)

2025-11-06 audit@patchstack.com

Deserialization

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 24, 2026 - 01:00 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:43 vuln.today

cvss_changed

Severity Changed

Apr 23, 2026 - 15:43 NVD

CRITICAL HIGH

CVSS changed

Apr 23, 2026 - 15:43 NVD

9.8 (CRITICAL) 8.8 (HIGH)

Analysis Generated

Mar 28, 2026 - 19:20 vuln.today

CVE Published

Nov 06, 2025 - 16:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Scott Reilly Preserve Code Formatting preserve-code-formatting allows Object Injection.This issue affects Preserve Code Formatting: from n/a through <= 4.0.1.

AnalysisAI

PHP object injection in WordPress plugin Preserve Code Formatting 4.0.1 and earlier enables authenticated attackers to execute arbitrary code or manipulate application state. Remote attackers with low-privilege WordPress accounts (Contributor-level or above) can inject malicious serialized objects through unsafe deserialization, achieving high impact to confidentiality, integrity, and availability. EPSS score of 0.10% indicates minimal widespread exploitation activity, though the vulnerability requires only low-complexity exploitation with no user interaction once authenticated access is obtained.

CVE-2025-49386 vulnerability details – vuln.today

Back

Scott Reilly Preserve Code Formatting CVE-2025-49386

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Share

External POC / Exploit Code