CVE-2025-0767
Published: 27 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-0767 is a critical vulnerability in the WP Activity Log WordPress plugin version 5.3.2. It stems from unvalidated user input being passed directly to an unserialize function in the file myapp/classes/Writers/class-csv-writer.php, enabling deserialization of untrusted data (CWE-502). The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe potential impact.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary code execution or other severe outcomes depending on available deserialization gadgets in the application.
Mitigation details are available in advisories from the WordPress plugin repository at https://co.wordpress.org/plugins/wp-security-audit-log/ and Fluid Attacks at https://fluidattacks.com/advisories/skims-9/. Security practitioners should review these for patch information and update instructions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Insecure deserialization in a WordPress plugin's public-facing AJAX endpoint (admin-ajax.php) enables exploitation of a weakness in a web application for initial access.