CVE-2025-68853
Awaiting Analysis Awaiting Analysis - Queue
Deserialization Vulnerability in Kleor Contact Manager Enables Object Injection

Publication date: 2026-02-20

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68853
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack contact_manager to 9.1.1 (inc)
kleor contact_manager to 9.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68853 is a high-priority PHP Object Injection vulnerability in the WordPress Contact Manager Plugin versions up to and including 9.1.1.

This vulnerability allows an attacker to perform PHP Object Injection, which can lead to various exploits such as code injection, SQL injection, path traversal, and denial of service if a suitable Property Oriented Programming (POP) chain is available.

It is classified under OWASP Top 10 A1: Broken Access Control.

Exploitation requires user interaction by a privileged user performing actions like clicking a malicious link, visiting a crafted page, or submitting a form, but no authentication is strictly required to initiate the attack.

No official patch is currently available, but mitigation rules exist to block attacks until a patch is released.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and service disruption through denial of service attacks.

Because it allows PHP Object Injection, attackers can potentially take control of the affected system or manipulate data, leading to compromised website integrity and security.

The high CVSS score of 8.8 reflects the dangerous nature of this flaw and the likelihood of exploitation.

Compliance Impact

I don't know

Detection Guidance

There is no specific detection command or signature provided for this vulnerability in the available resources.

However, since the vulnerability involves PHP Object Injection in the WordPress Contact Manager Plugin (versions up to 9.1.1), monitoring for unusual HTTP requests that include serialized PHP objects or suspicious payloads targeting the plugin endpoints could help detect exploitation attempts.

Network or system administrators might consider using web application firewall (WAF) logs or intrusion detection systems (IDS) to look for anomalous POST or GET requests containing serialized PHP objects or unexpected parameters related to the Contact Manager plugin.

Mitigation Strategies

Since no official patch is currently available for CVE-2025-68853, immediate mitigation should focus on blocking exploitation attempts.

Patchstack has released a mitigation rule that can block attacks targeting this vulnerability until an official patch is issued and applied.

  • Implement the Patchstack mitigation rule to protect your WordPress installation.
  • Restrict access to the Contact Manager plugin endpoints to trusted users only.
  • Monitor your web server and application logs for suspicious activity related to PHP Object Injection attempts.

Additionally, consider disabling or removing the Contact Manager plugin if it is not essential, until a secure patch is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68853. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart