KBx Pro Ultimate <= 8.0.5 – Unauthenticated PHP Object Injection | CVE 2025-60232 | Plugin Vulnerabilities

Description

The KBx Pro Ultimate plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 8.0.5 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

knowledgebase-helpdesk-pro

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e4bc689-8265-4f7a-bda2-d9ca8420179f

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

João Pedro S Alcântara (Kinorth)

Verified

No

WPVDB ID

0e904740-473c-4dea-bec1-eb3bcbffcdde

Timeline

Publicly Published

2025-07-15 (about 8 months ago)

Added

2025-12-11 (about 3 months ago)

Last Updated

2025-12-11 (about 3 months ago)

Other

Published

Title

Published

2024-02-29

Title

Slider Responsive Slideshow – Image slider, Gallery slideshow < 1.4.0 - Authenticated (Contributor+) PHP Object Injection

Published

2026-03-03

Title

Pets Club <= 2.3 - Unauthenticated PHP Object Injection

Published

2023-05-29

Title

Gravity Forms < 2.7.4 - Unauthenticated PHP Object Injection

Published

2024-04-11

Title

WPvivid Backup & Migration Plugin < 0.9.100 - Admin+ PHAR Deserialization

Published

2025-05-14

Title

WPBot Pro Wordpress Chatbot <= 12.7.0 - Unauthenticated PHP Object Injection