EUVD-2025-21210

| CVE-2025-7504 HIGH
2025-07-12 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 16, 2026 - 08:56 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:56 euvd
EUVD-2025-21210
Patch Released
Mar 16, 2026 - 08:56 nvd
Patch available
PoC Detected
Aug 02, 2025 - 01:25 vuln.today
Public exploit code
CVE Published
Jul 12, 2025 - 09:15 nvd
HIGH 7.5

Tags

Deserialization PHP WordPress Information Disclosure Code Injection Friends

Description

The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit.

Analysis

The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.

Technical Context

The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical class of PHP vulnerabilities where user-supplied input is passed directly to PHP's unserialize() function without proper validation. The Friends plugin improperly deserializes the query_vars parameter, allowing attackers to instantiate arbitrary PHP objects. The attack surface is limited by the requirement for authenticated access (subscriber-level minimum) and knowledge of cryptographic salts (SALT_NONCE and SALT_KEY). The real danger manifests only when a Property-Oriented Programming (POP) chain exists in the WordPress ecosystem—typically in other plugins with magic methods (__wakeup, __destruct, __toString) that execute dangerous operations during object instantiation or destruction. This is a common pattern in plugin ecosystems where widely-installed packages like Composer libraries may contain exploitable gadget chains (e.g., in older versions of libraries like Monolog or Guzzle).

Affected Products

Friends plugin for WordPress, versions <= 3.5.1. Affected CPE: cpe:2.3:a:wordpress:friends:*:*:*:*:*:wordpress:*:* with version constraints <= 3.5.1. The vulnerability requires WordPress with PHP Object Injection capabilities (PHP 5.x+) and the presence of at least one additional plugin or theme containing a usable POP gadget chain. Unaffected versions: 3.5.2 and later (assumed patched; vendor advisories should confirm). No specific WordPress core version constraints noted, though WordPress 5.9+ is recommended for general security. Vulnerable configurations specifically include multisite and single-site installations where subscriber-level users can craft HTTP requests to the Friends plugin's endpoints.

Remediation

Immediate: Update Friends plugin to version 3.5.2 or later when released (check WordPress plugin repository for patched version availability). If patch is unavailable, implement these mitigations: (1) Disable the Friends plugin entirely if not actively used, (2) Restrict subscriber access to trusted users only, (3) implement Web Application Firewall (WAF) rules to block serialized object patterns in query_vars parameters (detect 'O:\d+:' regex), (4) enforce strong, unique SALT_NONCE and SALT_KEY values in wp-config.php and ensure they are not exposed via source code leaks or misconfiguration, (5) audit and remove unused plugins, especially those known to contain gadget chains (check security advisories for popular plugins like DMS, All In One SEO, and others that have historically contained POP chains), (6) implement application-level input validation to reject any query_vars values that contain PHP serialization markers. Vendor advisory: consult the official WordPress plugin repository security notice for Friends plugin v3.5.2+ release details.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.5
CVSS: +38
POC: +20

Share

EUVD-2025-21210 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy