What is the CVSS score of CVE-2025-7504?

CVE-2025-7504 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of PHP are affected by CVE-2025-7504?

The Friends WordPress plugin contains a PHP Object Injection vulnerability affecting version 3.5.1 that could allow subscriber-level users to inject malicious code, but only if additional vulnerable…. A patch is available.

Is there a public PoC exploit available for CVE-2025-7504?

Yes, a public proof-of-concept exploit is available for CVE-2025-7504. Prioritise patching immediately. EPSS: 0.5%.

How to fix or mitigate CVE-2025-7504?

Within 24 hours: Audit installed plugins and themes to identify any known POP chain vulnerabilities; document current Friends plugin version across all WordPress instances. Within 7 days: Update the Friends plugin to the patched version and verify the update completed successfully across all sites. Within 30 days: Conduct security review of user access permissions, implement IP-based restrictions for administrator-level functions, and rotate SALT_KEY and SALT_NONCE values on all WordPress installations.

PHP CVE-2025-7504

EUVD-2025-21210 HIGH

Deserialization of Untrusted Data (CWE-502)

2025-07-12 security@wordfence.com

Deserialization PHP WordPress Information Disclosure Code Injection Friends

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 08:56 euvd

EUVD-2025-21210

Analysis Generated

Mar 16, 2026 - 08:56 vuln.today

Patch released

Mar 16, 2026 - 08:56 nvd

Patch available

PoC Detected

Aug 02, 2025 - 01:25 vuln.today

Public exploit code

CVE Published

Jul 12, 2025 - 09:15 nvd

HIGH 7.5

DescriptionCVE.org

The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit.

AnalysisAI

The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.

Technical ContextAI

The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical class of PHP vulnerabilities where user-supplied input is passed directly to PHP's unserialize() function without proper validation. The Friends plugin improperly deserializes the query_vars parameter, allowing attackers to instantiate arbitrary PHP objects. The attack surface is limited by the requirement for authenticated access (subscriber-level minimum) and knowledge of cryptographic salts (SALT_NONCE and SALT_KEY). The real danger manifests only when a Property-Oriented Programming (POP) chain exists in the WordPress ecosystem—typically in other plugins with magic methods (__wakeup, __destruct, __toString) that execute dangerous operations during object instantiation or destruction. This is a common pattern in plugin ecosystems where widely-installed packages like Composer libraries may contain exploitable gadget chains (e.g., in older versions of libraries like Monolog or Guzzle).

RemediationAI

Immediate: Update Friends plugin to version 3.5.2 or later when released (check WordPress plugin repository for patched version availability). If patch is unavailable, implement these mitigations: (1) Disable the Friends plugin entirely if not actively used, (2) Restrict subscriber access to trusted users only, (3) implement Web Application Firewall (WAF) rules to block serialized object patterns in query_vars parameters (detect 'O:\d+:' regex), (4) enforce strong, unique SALT_NONCE and SALT_KEY values in wp-config.php and ensure they are not exposed via source code leaks or misconfiguration, (5) audit and remove unused plugins, especially those known to contain gadget chains (check security advisories for popular plugins like DMS, All In One SEO, and others that have historically contained POP chains), (6) implement application-level input validation to reject any query_vars values that contain PHP serialization markers. Vendor advisory: consult the official WordPress plugin repository security notice for Friends plugin v3.5.2+ release details.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-7504 vulnerability details – vuln.today

Back

PHP CVE-2025-7504

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code