CVE-2025-23932
Published: 22 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23932 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Marko-M Quick Count WordPress plugin (quick-count), enabling Object Injection. This issue affects Quick Count versions from n/a through 3.00.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable over the network by unauthenticated attackers with low attack complexity and no user interaction required. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to remote code execution or other severe compromises through malicious object deserialization.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/quick-count/vulnerability/wordpress-quick-count-plugin-3-00-php-object-injection-vulnerability?_s_id=cve provides details on this PHP object injection vulnerability in the WordPress Quick Count plugin version 3.00. Security practitioners should review this reference for recommended mitigations, such as applying available patches or updates.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE is a remote unauthenticated deserialization vulnerability in a public-facing WordPress plugin enabling RCE, directly mapping to exploitation of public-facing applications.