CVE-2025-49417
BaseFortify
Publication date: 2025-07-04
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a deserialization of untrusted data issue in the WooCommerce Product Multi-Action plugin (versions up to 1.3). It allows attackers to inject malicious objects by exploiting the plugin's handling of serialized data. This can lead to arbitrary code execution, denial of service, or unauthorized access to the admin panel without requiring any authentication. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute arbitrary code on your system, cause denial of service, or gain unauthorized administrative access to your WordPress site. Because it requires no authentication, it is highly dangerous and likely to be widely exploited, potentially compromising your site's security and availability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include applying the virtual patch (vPatch) provided by Patchstack, which blocks attacks exploiting this issue until an official fix is released. Additionally, users should seek professional incident response if their sites have been compromised. Since no official patch is currently available, virtual patching is the fastest protection method. [1]