Overview
In the world of cybersecurity, the detection of new vulnerabilities is an ongoing process. One such vulnerability that has been recently identified is CVE-2025-0855, which affects the PGS Core plugin for WordPress. It is a critical vulnerability that can lead to PHP Object Injection, enabling attackers to inject a PHP Object without requiring any authentication. This issue concerns not only individual WordPress site owners but also businesses and organizations that use this plugin, as it can potentially lead to severe consequences such as system compromise or sensitive data leakage.
Vulnerability Summary
CVE ID: CVE-2025-0855
Severity: Critical (CVSS score: 9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: This vulnerability, if successfully exploited, can lead to system compromise and data leakage.
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
PGS Core WordPress Plugin | Up to and including 5.8.0
How the Exploit Works
The exploit takes advantage of an issue in the ‘import_header’ function of the PGS Core plugin for WordPress. This function does not adequately verify the validity of input before deserializing it, thereby allowing the injection of PHP Objects. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable application, leading to PHP Object Injection. If a Property-Oriented Programming (POP) chain exists in any additional plugin or theme installed on the system, the vulnerability can be further exploited to delete arbitrary files, retrieve sensitive data, or execute arbitrary code.
Conceptual Example Code
Here’s an illustrative example of how an attacker might exploit this vulnerability. This example is purely conceptual and should not be used in a real-world scenario.
POST /wp-content/plugins/pgs-core/inc/importers/import_header.php HTTP/1.1
Host: vulnerable-wordpress-site.com
Content-Type: application/php
O:8:"stdClass":1:{s:4:"file";s:27:"/path/to/arbitrary/file.php";}In this example, an attacker sends a POST request to the ‘import_header.php’ file, which is part of the PGS Core plugin. The payload includes an injected PHP Object that references an arbitrary file. If the server has a POP chain that allows file deletion, this request could potentially delete the referenced file.
Mitigation and Recommendations
The best way to mitigate this vulnerability is by applying the vendor patch. Users of the PGS Core plugin for WordPress should upgrade to the latest version as soon as possible. As a temporary measure, one can use Web Application Firewall (WAF) or an Intrusion Detection System (IDS) to detect and prevent exploitation of this vulnerability. However, these are not long-term solutions and do not address the underlying issue. Regularly updating and patching software is essential in maintaining a secure online environment.