CVE-2025-7504
BaseFortify
Publication date: 2025-07-12
Last updated on: 2025-08-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alex.kirk | friends | to 3.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Friends plugin for WordPress version 3.5.1 and involves PHP Object Injection via deserialization of untrusted input in the query_vars parameter. Authenticated users with subscriber-level access or higher can inject a PHP object. However, the vulnerability itself has no impact unless another plugin or theme with a Property Oriented Programming (POP) chain is installed, which could then allow malicious actions.
How can this vulnerability impact me? :
If exploited in conjunction with another plugin or theme containing a POP chain, an attacker could delete arbitrary files, retrieve sensitive data, or execute code on the affected site. Exploitation requires access to the site's SALT_NONCE and SALT_KEY values and authenticated subscriber-level access or higher.