PHP Object Injection Vulnerability in Glossary by WPPedia Plugin for WordPress
CVE-2025-4803
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 21 May 2025
What is CVE-2025-4803?
The Glossary by WPPedia plugin for WordPress is susceptible to a PHP Object Injection flaw that allows authenticated users with Administrator-level access to exploit the deserialization of untrusted data through the 'posttypes' parameter. This vulnerability creates potential for malicious actors to inject a PHP Object into the application. While the plugin does not have a known PHP Object Pollution (POP) chain, its risk escalates if other plugins or themes on the site leverage such a chain, enabling attackers to undertake destructive actions like deleting files, accessing sensitive information, or executing arbitrary code.
Affected Version(s)
Glossary by WPPedia – Best Glossary plugin for WordPress * <= 1.3.0