CVE-2025-52740
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-52740 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Boldermail WordPress plugin developed by Hernan Villanueva, enabling PHP Object Injection. The issue affects Boldermail versions from n/a through 2.4.0 inclusive. Published on 2025-10-22, it carries a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited remotely over the network by an attacker with low privileges, such as an authenticated user, requiring low complexity and no user interaction. Successful exploitation allows the attacker to achieve high confidentiality, integrity, and availability impacts, potentially leading to full system compromise through object injection.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/boldermail/vulnerability/wordpress-boldermail-plugin-2-4-0-php-object-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a network-accessible deserialization flaw (CWE-502) in a WordPress plugin exploitable by low-privileged users, directly enabling exploitation of a public-facing application.