Description
Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX flexmls-idx allows Object Injection.This issue affects Flexmls® IDX: from n/a through <= 3.14.27.
Published: 2025-02-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data in the Flexmls® IDX WordPress plugin, which permits arbitrary PHP object injection. This flaw can allow an attacker to execute arbitrary code, modify data, or otherwise compromise the integrity of the WordPress site through the injected objects. The weakness is identified as CWE‑502, deserialization of untrusted input.

Affected Systems

Any WordPress installation that has the Flexmls® IDX plugin for versions up to 3.14.27, including all earlier releases for which no version information is listed, is affected. The plugin is distributed under the vendor name flexmls:Flexmls® IDX.

Risk and Exploitability

The CVSS score of 9.8 classifies this vulnerability as Critical. The EPSS score of less than 1% indicates that, while exploitation is currently rare, the potential for a remote exploitation path exists. The attack vector is inferred to be remote, where a malicious user can supply a crafted serialized payload through the plugin’s processing endpoints. The vulnerability is not listed in the CISA KEV catalog at this time, but is publicly disclosed and could be exploited by attackers with sufficient motivation.

Generated by OpenCVE AI on May 1, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flexmls® IDX to the latest release that is greater than 3.14.27
  • If an upgrade is not feasible, permanently disable or uninstall the Flexmls® IDX plugin
  • Implement input validation or disable PHP object deserialization in the plugin’s handling code, and monitor incoming requests for unexpected serialized data

Generated by OpenCVE AI on May 1, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5386 Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection. This issue affects Flexmls® IDX: from n/a through 3.14.27.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection. This issue affects Flexmls® IDX: from n/a through 3.14.27. Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX flexmls-idx allows Object Injection.This issue affects Flexmls® IDX: from n/a through <= 3.14.27.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 25 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection. This issue affects Flexmls® IDX: from n/a through 3.14.27.
Title WordPress Flexmls® IDX Plugin Plugin <= 3.14.27 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:42.643Z

Reserved: 2025-02-17T11:50:42.822Z

Link: CVE-2025-26900

cve-icon Vulnrichment

Updated: 2025-02-25T19:09:20.320Z

cve-icon NVD

Status : Deferred

Published: 2025-02-25T15:15:25.853

Modified: 2026-04-23T15:26:01.547

Link: CVE-2025-26900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:30:20Z

Weaknesses