Description
The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Published: 2025-05-06
Score: 9.8 Critical
EPSS: 2.6% Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The PGS Core plugin for WordPress contains an unsafe deserialization flaw in the import_header function that allows a PHP Object Injection vulnerability (CWE-502). An attacker can craft a serialized payload that is processed by the plugin, leading to the instantiation of arbitrary PHP objects. While the plugin itself does not provide a ready-to-use PHP Object Poisoning (POP) chain, the injection can still be leveraged if a malicious object triggers code that is subsequently executed by other components of the WordPress installation, enabling arbitrary file manipulation or code execution.

Affected Systems

All installations of Potenza Global Solutions’ PGS Core WordPress plugin up to and including version 5.8.0 are affected. No other product versions are listed as vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS of 9.8 and an EPSS of 3%, indicating a high likelihood of exploitation but a relatively low overall probability of attack at the moment. It is not listed in the CISA KEV catalog. Attackers can trigger the flaw from any unauthenticated web request that reaches the import_header endpoint. Without a ready POP chain the impact is limited to the plugin; however, if the target environment contains additional vulnerable plugins or themes that support PHP object deserialization, an attacker could delete files, exfiltrate data, or execute arbitrary code.

Generated by OpenCVE AI on April 22, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PGS Core plugin to version 5.8.1 or later, which removes the vulnerable import_header function.
  • If an immediate update is not possible, block or disable the import_header endpoint through server configuration or by disabling the corresponding feature in WordPress settings.
  • Conduct a thorough review of all installed plugins, themes, and custom code for other deserialization or POP chain vulnerabilities to prevent chained exploitation.

Generated by OpenCVE AI on April 22, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13649 The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00212}

 epss

{'score': 0.00221}

Wed, 07 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 May 2025 22:45:00 +0000

Type Values Removed Values Added
Description The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Title PGS Core <= 5.8.0 - Unauthenticated PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:05.964Z

Reserved: 2025-01-29T18:30:17.914Z

Link: CVE-2025-0855

cve-icon Vulnrichment

Updated: 2025-05-07T13:23:06.959Z

cve-icon NVD

Status : Deferred

Published: 2025-05-06T23:15:50.350

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses