CVE-2025-67535

MEDIUM
2025-12-09 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 6.5

Tags

WordPress PHP Deserialization

Description

Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.

Analysis

Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

Technical Context

WP Maps is a WordPress plugin for embedding Google Maps functionality. The vulnerability stems from unsafe deserialization of PHP objects (CWE-502), likely in plugin settings or data handling routines that reconstruct serialized PHP objects without validation. Attackers with administrative credentials can craft malicious serialized objects that, when unserialized, trigger PHP magic methods (__wakeup, __destruct, etc.) to execute arbitrary code through gadget chains. The local attack vector (AV:L) indicates the attack must originate from the WordPress admin dashboard or a similarly privileged context, not from unauthenticated remote access.

Affected Products

WP Maps (wp-google-map-plugin) by Flipper Code versions from an unspecified baseline through version 4.8.6 inclusive. The exact affected version range lower bound is not clearly documented in available data. Additional CPE identification for this WordPress plugin may be available through the Patchstack database referenced in the NVD entry.

Remediation

Update WP Maps to a patched version released after 4.8.6; exact patched version number is not provided in available references. Immediately review WordPress user accounts and revoke administrative privileges from unnecessary or untrusted users. Audit serialized object handling in custom WordPress code and plugins, and consider implementing PHP object filters via security plugins. See Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-google-map-plugin/vulnerability/wordpress-wp-maps-plugin-4-8-6-php-object-injection-vulnerability?_s_id=cve) for vendor patch availability and detailed remediation guidance.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-67535 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy