CVE-2025-0855 in PGS Core Plugin
Summary
by MITRE • 05/07/2025
The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/11/2026
The PGS Core plugin for WordPress represents a significant security vulnerability through its susceptibility to PHP Object Injection attacks, affecting all versions up to and including 5.8.0. This flaw exists within the 'import_header' function where the plugin deserializes untrusted input without proper validation or sanitization. The vulnerability operates at the core level of PHP application security, exploiting the fundamental principle that user-supplied data should never be directly processed through unserialize() or similar functions without adequate security measures. The attack vector is particularly dangerous because it requires no authentication, allowing any remote attacker to exploit the flaw simply by sending malicious data to the affected endpoint.
The technical implementation of this vulnerability stems from improper input validation within the plugin's import functionality. When the 'import_header' function processes incoming data, it fails to sanitize or validate the serialized PHP objects before deserializing them. This creates an opportunity for attackers to craft malicious serialized objects that, when processed, can trigger unintended PHP object behavior. The vulnerability aligns with CWE-502 which specifically addresses "Deserialization of Untrusted Data" and represents a classic example of how insecure deserialization can lead to arbitrary code execution. The flaw exists in the application's data flow where untrusted input transitions from external sources directly into the deserialization process without proper security controls.
The operational impact of this vulnerability extends beyond simple data manipulation, creating potential for severe system compromise when combined with other vulnerable components within the WordPress ecosystem. While no known POP (Points of No Return) chains exist within the PGS Core plugin itself, the absence of such chains does not eliminate the threat. Attackers can leverage the object injection to manipulate the application's behavior, potentially leading to file deletion, data exfiltration, or remote code execution. The vulnerability can be exploited to manipulate the application's internal state, potentially allowing attackers to bypass authentication mechanisms or escalate privileges. This represents a critical risk in environments where multiple plugins or themes may contain exploitable components that could form a complete attack chain.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security hardening. The most effective immediate solution involves upgrading to a patched version of the PGS Core plugin or implementing a comprehensive input validation layer that prevents deserialization of untrusted data. Organizations should also implement network-level protections such as web application firewalls that can detect and block malicious serialization patterns. Security controls should include monitoring for unusual deserialization activities and implementing proper access controls to limit the impact of potential exploitation. The vulnerability demonstrates the importance of following secure coding practices as outlined in OWASP Top 10 and NIST guidelines, particularly focusing on input validation and output encoding. Additionally, security teams should conduct comprehensive vulnerability assessments to identify other plugins or themes that might contain exploitable POP chains, as these could be leveraged to extend the initial attack vector and achieve more severe outcomes.