CVE-2025-60238
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.03.
Analysis
PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.
Technical Context
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a dangerous flaw where applications deserialize user-controlled input without proper validation. In PHP environments, particularly WordPress plugins, unsafe deserialization can allow attackers to instantiate arbitrary objects with attacker-controlled properties. The UNIVERSAM WordPress plugin (universam-demo) processes serialized PHP data from untrusted sources without sanitization, enabling object injection attacks. When PHP unserializes malicious payloads, magic methods like __wakeup(), __destruct(), or __toString() can be invoked on injected objects, potentially triggering arbitrary code execution if vulnerable classes exist in the application's codebase (often called 'gadget chains'). WordPress environments are particularly susceptible due to the extensive class libraries available for chaining exploits.
Affected Products
This vulnerability affects the UNIVERSAM WordPress plugin (also identified as universam-demo) in all versions from the initial release through version 9.03 inclusive. The plugin appears to be developed by universam, with the vulnerable component handling deserialization operations. Organizations should verify installed versions through WordPress admin panel under Plugins section. The Patchstack database reference at https://patchstack.com/database/Wordpress/Plugin/universam-demo/ provides authoritative affected version information, confirming the version ceiling of 9.03 as the last known vulnerable release.
Remediation
Organizations running UNIVERSAM plugin version 9.03 or earlier should immediately update to a patched version if available from the WordPress plugin repository or vendor. Check the official WordPress plugin directory and vendor communications for release notes confirming deserialization vulnerability fixes. If no patched version is publicly released, temporarily disable and remove the UNIVERSAM plugin until a security update becomes available, evaluating whether plugin functionality is business-critical. For WordPress installations where removal is not feasible, implement web application firewall (WAF) rules to inspect and block serialized PHP payloads in HTTP requests, and restrict plugin access to authenticated administrators only through WordPress role-based access controls. Monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/universam-demo/vulnerability/wordpress-universam-plugin-8-72-14-php-object-injection-vulnerability for updated remediation guidance and confirmed fix versions. Conduct security audit of any WordPress installation where this plugin was active to identify potential historical compromise indicators.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today