CVE-2025-22526
Published: 28 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-22526 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin mywebtonet-performancestats, a PHP/MySQL CPU performance statistics tool. The flaw enables Object Injection and affects all versions up to and including 1.2.1. It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution, potentially leading to high-impact confidentiality, integrity, and availability violations, such as data theft, modification, or denial of service on the affected WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mywebtonet-performancestats/vulnerability/wordpress-php-mysql-cpu-performance-statistics-plugin-1-2-1-php-object-injection-vulnerability?_s_id=cve details the vulnerability and recommends updating to a patched version beyond 1.2.1 to mitigate the issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated deserialization flaw in a public-facing WordPress plugin enabling arbitrary code execution, directly mapping to exploitation of public-facing applications.