PHP Object Injection Vulnerability in Live Composer Website Builder Plugin for WordPress
CVE-2025-14071

7.5HIGH

Key Information:

Vendor: WordPress
Status: Live Composer – Free WordPress Website Builder
Vendor: CVE Published:; 21 December 2025

What is CVE-2025-14071?

The Live Composer plugin for WordPress is susceptible to a PHP Object Injection vulnerability due to the deserialization of untrusted input in the dslc_module_posts_output shortcode. This flaw affects all versions up to and including 2.0.2 and allows authenticated attackers with Contributor-level access or higher to exploit the vulnerability and inject a PHP Object. While no known PHP Object Injection chain exists within the plugin itself, if the vulnerable site has other plugins or themes containing such a chain, attackers could potentially execute malicious actions including deleting arbitrary files, accessing sensitive information, or executing arbitrary code. Proper security measures should be taken to mitigate these risks.

Affected Version(s)

Live Composer – Free WordPress Website Builder * <= 2.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/live-composer-...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 21, 2025
Vulnerability Reserved
Dec 4, 2025

Credit

Athiwat Tiprasaharn

JSON