Description
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0.
Published: 2025-04-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Stylemix uListing WordPress plugin contains an insecure deserialization routine that accepts untrusted data and performs PHP unserialization. Because the plugin does not validate or sanitize the serialized input, an attacker could craft a payload that instantiates arbitrary PHP objects. This form of object injection might allow unauthorized manipulation of application data or execution of malicious code when the objects are processed by the plugin. The description does not explicitly state that remote code execution is guaranteed, so this potential consequence is inferred from the nature of the vulnerability.

Affected Systems

The vulnerability affects the Stylemix uListing plugin for WordPress versions 2.2.0 and earlier. Any WordPress site that is running the plugin at or below this version is potentially impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity risk. The EPSS score is below 1%, suggesting a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through any input that the plugin deserializes, such as form submissions or URL parameters; this inference is based on the plugin's handling of serialized data.

Generated by OpenCVE AI on May 1, 2026 at 09:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Stylemix uListing plugin to a version newer than 2.2.0.
  • If an upgrade cannot be performed immediately, block requests containing serialized PHP objects with a web application firewall or other filtering mechanism before they reach the plugin.
  • Review and patch the plugin's code to replace unsafely used unserialize calls with a secure deserialization approach or apply strict validation to ensure only trusted data is processed.

Generated by OpenCVE AI on May 1, 2026 at 09:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11729 Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection. This issue affects uListing: from n/a through 2.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection. This issue affects uListing: from n/a through 2.2.0. Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection. This issue affects uListing: from n/a through 2.2.0.
Title WordPress uListing plugin <= 2.2.0 - Deserialization of untrusted data vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:27.321Z

Reserved: 2025-04-09T11:21:11.059Z

Link: CVE-2025-32662

cve-icon Vulnrichment

Updated: 2025-04-17T17:41:24.333Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:49.950

Modified: 2026-04-23T15:29:18.223

Link: CVE-2025-32662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:00:12Z

Weaknesses