Description
Deserialization of Untrusted Data vulnerability in Marko-M Quick Count quick-count allows Object Injection.This issue affects Quick Count: from n/a through <= 3.00.
Published: 2025-01-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quick Count plugin for WordPress up to version 3.00 contains a flaw that allows an attacker to supply untrusted data that is deserialized with no validation, leading to PHP object injection. This flaw aligns with CWE‑502 and can enable an attacker to execute arbitrary PHP code on the affected server, potentially compromising confidentiality, integrity, and availability of the site and any hosted data.

Affected Systems

Marko‑M Quick Count plugin versions 3.00 and earlier running on WordPress sites are impacted. Any site that uses these plugin versions without an upgrade is at risk.

Risk and Exploitability

The CVSS score of 9.8 marks this as a critical vulnerability. The EPSS score of less than 1% indicates low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread attacks yet. The likely attack path is remote: an attacker can send a crafted HTTP request or input that the plugin deserializes, potentially triggering object injection and remote code execution with the permissions of the web‑server process.

Generated by OpenCVE AI on May 1, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Quick Count plugin release (>=3.01) which removes the vulnerable deserialization path.
  • If an update is not immediately available, disable or remove the Quick Count plugin from the WordPress installation to block the attack surface.
  • Audit any custom code or other plugins that use PHP's unserialize function with untrusted data, and replace it with safe alternatives or enforce strict validation to mitigate future deserialization risks.

Generated by OpenCVE AI on May 1, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3547 Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection. This issue affects Quick Count: from n/a through 3.00.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection. This issue affects Quick Count: from n/a through 3.00. Deserialization of Untrusted Data vulnerability in Marko-M Quick Count quick-count allows Object Injection.This issue affects Quick Count: from n/a through <= 3.00.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Jan 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection. This issue affects Quick Count: from n/a through 3.00.
Title WordPress Quick Count Plugin <= 3.00 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:04:33.620Z

Reserved: 2025-01-16T11:32:32.177Z

Link: CVE-2025-23932

cve-icon Vulnrichment

Updated: 2025-01-22T19:39:10.340Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:25.827

Modified: 2026-04-23T15:24:48.470

Link: CVE-2025-23932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:30:23Z

Weaknesses