CVE-2025-14044
Unknown Unknown - Not Provided
PHP Object Injection in Visitor Logic Lite WordPress Plugin

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Wordfence

Description
The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14044
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
visitor_logic lite 1.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a PHP Object Injection in the Visitor Logic Lite WordPress plugin (versions up to 1.0.3). It occurs because the plugin's lp_track() function unserializes data from the lpblocks cookie without sanitization, allowing unauthenticated attackers to inject malicious PHP objects. While no proof of concept (POP) chain is included in the plugin itself, if other plugins or themes provide a POP chain, attackers could exploit this to delete files, access sensitive data, or execute code on the WordPress site.

Impact Analysis

If exploited, this vulnerability can allow attackers to delete arbitrary files, retrieve sensitive information, or execute arbitrary code on the affected WordPress site, potentially compromising the site's integrity, confidentiality, and availability.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Visitor Logic Lite plugin to a version later than 1.0.3 where the vulnerability is fixed. If an update is not available, consider disabling or removing the plugin until a patch is released. Additionally, restrict or sanitize the 'lpblocks' cookie input to prevent unserialization of untrusted data. Monitor your WordPress site for unusual activity and ensure that other plugins or themes do not provide a POP chain that could be exploited in combination.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for the presence of the `lpblocks` cookie being sent to the WordPress site running the Visitor Logic Lite plugin version 1.0.3 or earlier. Since the vulnerability involves unsafe unserialization of the `lpblocks` cookie, suspicious or malformed serialized PHP objects in this cookie could indicate exploitation attempts. You can use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests containing the `lpblocks` cookie. For example, using tcpdump: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep lpblocks`. Additionally, on the server side, inspecting web server access logs for requests with the `lpblocks` cookie can help detect attempts. There are no specific built-in commands to detect the vulnerability automatically, but monitoring for unusual or unexpected serialized data in the `lpblocks` cookie is key. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart