CVE-2025-26885
Published: 03 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-26885 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Beaver Builder WordPress Assistant plugin that allows Object Injection. Published on 2025-03-03T14:15:56.360, it affects WordPress Assistant versions from n/a through <= 1.5.1. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires network access, low attack complexity, high privileges (PR:H), and no user interaction. An attacker with sufficient privileges can achieve high impacts on confidentiality, integrity, and availability, such as through arbitrary object injection leading to potential remote code execution or system compromise.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/assistant/vulnerability/wordpress-assistant-plugin-1-5-1-php-object-injection-vulnerability?_s_id=cve details the PHP object injection vulnerability in the WordPress Assistant plugin version 1.5.1 and provides associated mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
PHP object injection via deserialization in public-facing WordPress plugin enables remote code execution, directly mapping to exploitation of public-facing applications (T1190) and Unix shell command execution (T1059.004).