CVE-2025-26763
Published: 22 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26763 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the MetaSlider Responsive Slider WordPress plugin (ml-slider) that allows Object Injection. This issue affects Responsive Slider by MetaSlider versions from n/a through 3.94.0. The vulnerability was published on 2025-02-22 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially leading to severe outcomes such as remote code execution via object injection in the PHP-based plugin environment.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ml-slider/vulnerability/wordpress-slider-gallery-and-carousel-by-metaslider-image-slider-video-slider-plugin-3-94-0-php-object-injection-vulnerability?_s_id=cve provides further details on the vulnerability, including mitigation recommendations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated remote deserialization/object injection vulnerability in a public-facing WordPress plugin leading to RCE, directly enabling exploitation of public-facing applications.