CVE-2025-27300

High

Published: 24 February 2025

Published

24 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 28.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-27300 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the giuliopanda ADFO admin-form WordPress plugin, enabling Object Injection. The issue affects ADFO versions from n/a through 1.9.1 and was published on 2025-02-24.

With a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely with low attack complexity by authenticated users possessing high privileges, such as administrators. No user interaction is required, and successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability.

The Patchstack database provides details on this vulnerability in the WordPress ADFO plugin version 1.9.1, including assessment of the deserialization issue: https://patchstack.com/database/Wordpress/Plugin/admin-form/vulnerability/wordpress-adfo-plugin-1-9-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve.

Details

CWE(s): CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Deserialization of untrusted data vulnerability in a public-facing WordPress plugin enables remote object injection leading to code execution on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/admin-form/vulnerability/wordpress-adfo-plugin-1-9-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve
audit@patchstack.com