WordPress Plugin Vulnerabilities

Boldermail <= 2.4.0 - Authenticated (Contributor+) PHP Object Injection

Description

The Boldermail plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.4.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
boldermail
No known fix

References

CVE
CVE-2025-52740
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6122682d-6725-422c-9be8-339e4fb039a7

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Drew Webber (mcdruid)
Verified
No
WPVDB ID
f0e32ffd-c2b5-4318-b61b-a50341fb93d9

Timeline

Publicly Published
2025-08-05 (about 8 months ago)
Added
2025-11-04 (about 5 months ago)
Last Updated
2025-11-04 (about 5 months ago)

Other

Published
Title
Published
2021-03-25
Title
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
Published
2025-01-03
Title
Backup Migration < 1.4.6.1 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'
Published
2026-03-09
Title
Beelove | Honey Production and Sweets Online Store WordPress Theme <= 1.2.6 - Unauthenticated PHP Object Injection
Published
2024-03-05
Title
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid < 1.3.9 - Authenticated(Contributor+) PHP Object Injection
Published
2024-03-13
Title
PropertyHive < 2.0.10 - Authenticated (Subscriber+) PHP Object Injection