PHP Object Injection in Friends Plugin for WordPress
CVE-2025-7504

7.5HIGH

Key Information:

Vendor: WordPress
Status: Friends
Vendor: CVE Published:; 12 July 2025

What is CVE-2025-7504?

The Friends plugin for WordPress is susceptible to a PHP Object Injection vulnerability due to improper handling of untrusted input in the query_vars parameter. This allows authenticated users with subscriber-level access or higher to inject malicious PHP Objects. The vulnerability itself does not pose a risk unless a vulnerable Object Property (POP) chain exists within other plugins or themes installed on the site. If such a chain is present, attackers could potentially execute harmful actions such as deleting files, accessing sensitive data, or executing arbitrary code depending on the specific POP chain utilized. Successful exploitation requires an attacker to obtain the site's SALT_NONCE and SALT_KEY.

Affected Version(s)

Friends 3.5.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/akirk/friends/pull/537

https://wordpress.org/plugins/friends/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2025
Vulnerability Reserved
Jul 11, 2025

Credit

Pham Nguyen Khoa