JupiterX Core < 4.11.0 – Authenticated (Contributor+) PHP Object Injection | CVE 2025-50004 | Plugin Vulnerabilities

Description

The JupiterX Core plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.10.1 via deserialization of untrusted input [from the vulnerable parameter?|in the vulnerable function?]. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Fixed in 4.11.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3ef98c6f-4243-46bf-8231-3c751473fff7

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

João Pedro S Alcântara (Kinorth)

Verified

No

WPVDB ID

b187cafc-7a83-443a-bdef-9760d55631e0

Timeline

Publicly Published

2026-01-12 (about 2 months ago)

Added

2026-01-20 (about 2 months ago)

Last Updated

2026-01-20 (about 2 months ago)

Other

Published

Title

Published

2025-08-21

Title

Portfolio Manager Pro 3.8 - Unauthenticated PHP Object Injection

Published

2025-05-16

Title

WordPress Events Calendar Registration & Tickets <= 2.6.0 - Unauthenticated PHP Object Injection

Published

2016-11-15

Title

Google Analytics Counter Tracker < 3.5.0 - Unauthenticated PHP Object Injection

Published

2024-01-24

Title

Advanced Database Cleaner < 3.1.4 - Administrator+ PHP Object Injection

Published

2025-10-03

Title

JobSearch < 3.0.8 - Unauthenticated PHP Object Injection