CVE-2025-0724

CVE-2025-0724 is a PHP Object Injection vulnerability (CWE-502) affecting the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress in all versions up to and including 5.9.4.5. The issue arises from deserialization of untrusted input in the get_user_meta_fields_html function, enabling authenticated attackers to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and low complexity.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely. While no known Proof-of-Presence (POP) chain exists within the vulnerable plugin itself, making it benign in isolation, the injection could be leveraged if another plugin or theme on the target site provides a POP chain. In such cases, attackers may achieve severe impacts, including deletion of arbitrary files, retrieval of sensitive data, or arbitrary code execution, depending on the specific POP chain available.

Advisories reference the vulnerable code location in the WordPress plugin trac at https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.4.2/includes/class-profile-magic-html-generator.php#L259 and provide further details via Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/6bb1de69-7bc2-4785-9789-0a2d1cf35b9b?source=cve.