WordPress Plugin Vulnerabilities

WC Price History for Omnibus < 2.1.5 - Authenticated (Shop manager+) PHP Object Injection

Description

The WC Price History for Omnibus plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.4 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
wc-price-history
Fixed in 2.1.5

References

CVE
CVE-2025-22510
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4af0e984-896d-4938-a870-8a50644d4823

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Webula
Verified
No
WPVDB ID
c9212ad7-5dec-4286-9b6b-c43c4401941b

Timeline

Publicly Published
2025-01-07 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2025-01-14 (about 1 year ago)

Other

Published
Title
Published
2025-08-08
Title
Gravity Forms Salesforce < 1.5.2 - Unauthenticated PHP Object Injection
Published
2024-04-26
Title
GiveWP – Donation Plugin and Fundraising Platform < 3.5.0 - Authenticated (GiveWP Manager+) PHP Object Injection
Published
2023-04-10
Title
SEOPress < 6.5.0.3 - Admin+ PHP Object Injection
Published
2024-05-16
Title
ShiftController Employee Shift Scheduling < 4.9.58 - Authenticated (Contributor+) PHP Object Injection
Published
2024-11-12
Title
Advanced Order Export For WooCommerce < 3.5.6 - Unauthenticated PHP Object Injection via Order Details