Description
The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslc_module_posts_output shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2025-12-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: PHP Object Injection with potential code execution if a POP chain is present
Action: Patch immediately
AI Analysis

Impact

This vulnerability allows authenticated users with Contributor access to inject arbitrary PHP objects through the dslc_module_posts_output shortcode. While the plugin itself does not execute untrusted code, the injected objects can be exploited if the site also runs a plugin or theme that contains a vulnerable serialization or deserialization routine, enabling attackers to delete files, read sensitive data, or execute code. No stand‑alone payload is supplied by the plugin, so the impact depends on the presence of a separate vulnerable component.

Affected Systems

Live Composer – Free WordPress Website Builder plugin for WordPress versions up to and including 2.0.2. Any WordPress site that has this plugin installed and enables the dslc_module_posts_output shortcode is at risk.

Risk and Exploitability

The CVSS score of 7.5 reflects a high risk to confidentiality, integrity, and availability. The EPSS score of <1% indicates a low likelihood of current exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector requires local authentication as a user with Contributor privileges; thereafter the attacker can supply crafted input to trigger object deserialization. If a second component containing a POP chain is present, the vulnerability can lead to remote code execution or other destructive actions. Until the plugin is updated or the supporting component is removed, the threat persists.

Generated by OpenCVE AI on April 21, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Live Composer plugin to the latest released version (2.0.3 or later) where the deserialization flaw is fixed.
  • Remove or update any other plugins or themes that contain known POSt chains or deserialization vulnerabilities so the injected objects cannot be executed.
  • Revoke or restrict Contributor‑level permissions from untrusted accounts until the plugin is patched or the risky shortcode is disabled.
  • If immediate patching is not possible, disable the dslc_module_posts_output shortcode on all pages to eliminate the injection vector.

Generated by OpenCVE AI on April 21, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Livecomposer
Livecomposer live Composer
Wordpress
Wordpress wordpress
Vendors & Products Livecomposer
Livecomposer live Composer
Wordpress
Wordpress wordpress

Mon, 22 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslc_module_posts_output shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Livecomposer Live Composer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:55.587Z

Reserved: 2025-12-04T21:19:41.474Z

Link: CVE-2025-14071

cve-icon Vulnrichment

Updated: 2026-01-22T18:15:30.101Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T03:15:52.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses