EUVD-2025-18549Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce allows Object Injection. This issue affects Rapyd Payment Extension for WooCommerce: from n/a through 1.2.0.
AnalysisAI
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
Technical ContextAI
The vulnerability stems from improper deserialization of untrusted data (CWE-502), a common PHP issue where user-controlled input is deserialized using functions like unserialize() without proper validation. The Rapyd Payment Extension for WooCommerce integrates payment processing into WooCommerce e-commerce platforms and likely deserializes payment response data, webhook payloads, or session data from the Rapyd payment gateway or user input. PHP object injection via unserialize() can lead to exploitation of PHP object chains (magic methods like __wakeup(), __destruct(), __toString()) to achieve arbitrary code execution. The affected product is identified via CPE as a WooCommerce plugin from vendor 'yuliaz' affecting versions from an unspecified baseline through 1.2.0, suggesting the vulnerability may have existed since initial release.
RemediationAI
- action: Immediate Patching; description: Update the Rapyd Payment Extension for WooCommerce to a version greater than 1.2.0 (specific patched version not provided in available references; check WordPress Plugin Directory or yuliaz repository for 1.2.1 or later).
- action: Vendor Advisory Check; description: Consult official yuliaz/Rapyd security advisories or the WordPress Plugin Directory security page for CVE-2025-30618 to confirm patched version availability and deployment timeline.
- action: Temporary Mitigation (if patch unavailable); description: Disable the Rapyd Payment Extension if not immediately needed, or implement Web Application Firewall (WAF) rules to block suspicious deserialization payloads. However, this is not a reliable long-term mitigation for a network-accessible vulnerability.
- action: Code-Level Remediation; description: Replace all instances of unserialize() with secure alternatives: use json_decode() for JSON data, or use safe-by-default deserialization libraries. Validate and sanitize all payment data before processing.
- action: Input Validation; description: Implement strict input validation on all webhook endpoints and payment response handlers; reject non-expected data types and structures before any deserialization occurs.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level ac
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
Share
External POC / Exploit Code
Leaving vuln.today