CVE-2025-7825
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wptools | schema_plugin_for_divi_gutenberg_and_shortcodes | 4.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-96 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Schema Plugin For Divi, Gutenberg & Shortcodes for WordPress up to version 4.3.2. It involves object instantiation through deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. Authenticated users with Contributor-level access or higher can inject a PHP object. However, the vulnerability only has an impact if another plugin or theme with a POP (Property Oriented Programming) chain is installed, which could then allow malicious actions.
How can this vulnerability impact me? :
If a POP chain is present through an additional plugin or theme, an attacker with Contributor-level access could exploit this vulnerability to delete arbitrary files, retrieve sensitive data, or execute code on the affected WordPress site. Without a POP chain, the vulnerability has no impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Schema Plugin For Divi, Gutenberg & Shortcodes plugin to a version later than 4.3.2 where the issue is fixed. Additionally, review and remove any other plugins or themes that may contain POP chains to reduce the risk of exploitation. Limit Contributor-level access to trusted users only.