What is the CVSS score of CVE-2025-67535?

CVE-2025-67535 has a CVSS 3.1 base score of 6.6 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

WordPress CVE-2025-67535

MEDIUM

Deserialization of Untrusted Data (CWE-502)

2025-12-09 audit@patchstack.com

WordPress Deserialization Google

6.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.6 MEDIUM

AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

CVSS changed

Apr 23, 2026 - 15:43 NVD

6.5 (MEDIUM) 6.6 (MEDIUM)

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 09, 2025 - 16:18 nvd

MEDIUM 6.5

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.

AnalysisAI

Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

Technical ContextAI

WP Maps is a WordPress plugin for embedding Google Maps functionality. The vulnerability stems from unsafe deserialization of PHP objects (CWE-502), likely in plugin settings or data handling routines that reconstruct serialized PHP objects without validation. Attackers with administrative credentials can craft malicious serialized objects that, when unserialized, trigger PHP magic methods (__wakeup, __destruct, etc.) to execute arbitrary code through gadget chains. The local attack vector (AV:L) indicates the attack must originate from the WordPress admin dashboard or a similarly privileged context, not from unauthenticated remote access.

Affected ProductsAI

WP Maps (wp-google-map-plugin) by Flipper Code versions from an unspecified baseline through version 4.8.6 inclusive. The exact affected version range lower bound is not clearly documented in available data. Additional CPE identification for this WordPress plugin may be available through the Patchstack database referenced in the NVD entry.

RemediationAI

Update WP Maps to a patched version released after 4.8.6; exact patched version number is not provided in available references. Immediately review WordPress user accounts and revoke administrative privileges from unnecessary or untrusted users. Audit serialized object handling in custom WordPress code and plugins, and consider implementing PHP object filters via security plugins. See Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-google-map-plugin/vulnerability/wordpress-wp-maps-plugin-4-8-6-php-object-injection-vulnerability?_s_id=cve) for vendor patch availability and detailed remediation guidance.