CVE-2025-49386
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-49386 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Preserve Code Formatting WordPress plugin developed by Scott Reilly. The flaw allows Object Injection and affects all versions of the plugin from its initial release through 4.0.1 inclusive. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
The vulnerability can be exploited over the network by authenticated attackers with low privileges, requiring low complexity and no user interaction. Successful exploitation enables Object Injection, which can result in high-impact outcomes such as unauthorized data access, modification, or denial of service, depending on available PHP deserialization gadgets in the environment.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/preserve-code-formatting/vulnerability/wordpress-preserve-code-formatting-plugin-4-0-1-php-object-injection-vulnerability?_s_id=cve, which documents the vulnerability in the Preserve Code Formatting plugin up to version 4.0.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Deserialization of untrusted data (CWE-502) in a WordPress plugin enables unauthenticated remote exploitation of a public-facing web application.