Description
Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows Object Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.5.
Published: 2025-04-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Multiple Shipping And Billing Address For Woocommerce plugin allows attackers to deserialize untrusted data, leading to PHP object injection. This flaw can be leveraged to execute arbitrary code or commands, granting full control over the affected WordPress site. The weakness is a deserialization flaw (CWE‑502) and directly jeopardizes confidentiality, integrity, and availability of the website.

Affected Systems

The flaw impacts the silverplugins217 WordPress plugin named Multiple Shipping And Billing Address For Woocommerce. All releases up to and including version 1.5 are vulnerable; any site using the plugin in this range remains at risk. No mitigated versions are listed beyond the stated cutoff.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score of <1% indicates a low current exploitation probability, and it is not listed in the CISA KEV catalog, suggesting no reported public exploits yet. Attackers would need to supply a malicious serialized payload to a vulnerable endpoint, typically through crafted HTTP requests or plugin‑provided forms. If an attacker gains authenticated access to the plugin’s administration interface, the exploitation complexity reduces, making the attack more feasible. Monitoring for suspicious POST requests to the plugin’s endpoints is recommended until a patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 02:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Multiple Shipping And Billing Address For Woocommerce to a version newer than 1.5, or install the latest available release from the vendor.
  • If an immediate upgrade is not possible, disable or uninstall the plugin to eliminate the attack surface.
  • Restrict permission for the plugin’s files to prevent unauthorized modification and monitor the site for unusual deserialization attempts.

Generated by OpenCVE AI on May 1, 2026 at 02:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9070 Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5. Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows Object Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.5.
Title WordPress Multiple Shipping And Billing Address For Woocommerce <= 1.5 - PHP Object Injection Vulnerability WordPress Multiple Shipping And Billing Address For Woocommerce plugin <= 1.5 - PHP Object Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5.
Title WordPress Multiple Shipping And Billing Address For Woocommerce <= 1.5 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:05.062Z

Reserved: 2025-03-26T09:26:11.885Z

Link: CVE-2025-31087

cve-icon Vulnrichment

Updated: 2025-04-01T13:39:47.720Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T06:15:56.390

Modified: 2026-04-23T15:27:40.900

Link: CVE-2025-31087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:45:06Z

Weaknesses