CVE-2025-68853
Deserialization Vulnerability in Kleor Contact Manager Enables Object Injection
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | contact_manager | to 9.1.1 (inc) |
| kleor | contact_manager | to 9.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68853 is a high-priority PHP Object Injection vulnerability in the WordPress Contact Manager Plugin versions up to and including 9.1.1.
This vulnerability allows an attacker to perform PHP Object Injection, which can lead to various exploits such as code injection, SQL injection, path traversal, and denial of service if a suitable Property Oriented Programming (POP) chain is available.
It is classified under OWASP Top 10 A1: Broken Access Control.
Exploitation requires user interaction by a privileged user performing actions like clicking a malicious link, visiting a crafted page, or submitting a form, but no authentication is strictly required to initiate the attack.
No official patch is currently available, but mitigation rules exist to block attacks until a patch is released.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and service disruption through denial of service attacks.
Because it allows PHP Object Injection, attackers can potentially take control of the affected system or manipulate data, leading to compromised website integrity and security.
The high CVSS score of 8.8 reflects the dangerous nature of this flaw and the likelihood of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection command or signature provided for this vulnerability in the available resources.
However, since the vulnerability involves PHP Object Injection in the WordPress Contact Manager Plugin (versions up to 9.1.1), monitoring for unusual HTTP requests that include serialized PHP objects or suspicious payloads targeting the plugin endpoints could help detect exploitation attempts.
Network or system administrators might consider using web application firewall (WAF) logs or intrusion detection systems (IDS) to look for anomalous POST or GET requests containing serialized PHP objects or unexpected parameters related to the Contact Manager plugin.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for CVE-2025-68853, immediate mitigation should focus on blocking exploitation attempts.
Patchstack has released a mitigation rule that can block attacks targeting this vulnerability until an official patch is issued and applied.
- Implement the Patchstack mitigation rule to protect your WordPress installation.
- Restrict access to the Contact Manager plugin endpoints to trusted users only.
- Monitor your web server and application logs for suspicious activity related to PHP Object Injection attempts.
Additionally, consider disabling or removing the Contact Manager plugin if it is not essential, until a secure patch is released.