Description
Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.
Published: 2025-07-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data in the URL Shortener plugin. Attackers can craft malicious payloads that, when deserialized, result in execution of arbitrary code on the affected WordPress site. This type of flaw can lead to complete compromise of the server, including data disclosure, modification, and availability impact.

Affected Systems

The flaw affects the Md Yeasin Ul Haider 'URL Shortener' WordPress plugin in all releases up to and including version 3.0.7. Installing or using any of these versions exposes the site to potential exploitation.

Risk and Exploitability

The CVSS score of 9.8 reflects the high severity and full remote exploitation potential. The EPSS score of less than 1% indicates that, as of this analysis, the probability of observed exploitation remains very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request to the plugin’s deserialization endpoint; based on the description, it is inferred that an attacker could trigger the flaw by sending a specially crafted serialized object, but direct evidence of the exact endpoint is not provided.

Generated by OpenCVE AI on May 1, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the URL Shortener plugin to any release newer than 3.0.7, which removes the deserialization flaw
  • If updating is temporarily infeasible, completely disable or delete the plugin to eliminate the vulnerable code path
  • After applying changes, monitor HTTP requests for attempts to trigger the plugin’s deserialization logic and ensure the web application firewall is configured to block suspicious serialized payloads

Generated by OpenCVE AI on May 1, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21602 Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7. Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 16 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00038}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7.
Title WordPress URL Shortener <= 3.0.7 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:51.884Z

Reserved: 2025-03-11T08:10:19.510Z

Link: CVE-2025-28961

cve-icon Vulnrichment

Updated: 2025-07-16T13:19:53.186Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:24.097

Modified: 2026-04-23T15:26:41.057

Link: CVE-2025-28961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses