Description
The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site.
Published: 2025-12-12
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated PHP Object Injection capable of escalating to remote code execution if a privilege‑oriented pop‑of‑plant chain exists
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the Visitor Logic Lite plugin for WordPress, which deserializes data from the lpblocks cookie without validation. This PHP Object Injection flaw, identified as CWE‑502, allows an unauthenticated attacker to inject any PHP object into the application. While no exploitation chain is built into the plugin itself, the injected object could be used in conjunction with a vulnerable class from another plugin or theme to delete files, read sensitive data or execute arbitrary code, assuming the attacker can reach the site’s HTTP interface.

Affected Systems

All releases of Visitor Logic Lite up to and including version 1.0.3 from the vendor rodgerholl are affected. No specific version ranges beyond the stated limit are listed, and the issue applies to every installation of the plugin prior to 1.0.4.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, yet the EPSS score is below 1%, suggesting a low probability of exploitation at any given time. The vulnerability is not present in the CISA KEV catalog, which reduces perceived urgency. The likely attack vector is through manipulation of the lpblocks cookie by any user who can visit a URL under the site domain. In isolation, the flaw cannot be exploited; however, if the target environment hosts any additional plugin or theme that contains a vulnerable class that can be instantiated by the attacker, the consequences can range from file deletion and data exfiltration to full code execution.

Generated by OpenCVE AI on April 21, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Visitor Logic Lite to the latest version, 1.0.4 or newer, which removes the unsanitized unserialize call.
  • If an upgrade is impossible, either disable the plugin or block the lpblocks cookie from being sent by the browser to prevent object injection.
  • In a broader strategy, audit other installed plugins and themes for classes that could be instantiated via deserialization and apply patches or mitigations to those components as well.

Generated by OpenCVE AI on April 21, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site.
Title Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:43.388Z

Reserved: 2025-12-04T16:15:55.591Z

Link: CVE-2025-14044

cve-icon Vulnrichment

Updated: 2025-12-15T17:53:55.608Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:46.380

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses