Description
Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart foodbakery-sticky-cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through <= 3.2.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization flaw that permits PHP object injection. An attacker can supply malicious serialized data to the Foodbakery Sticky Cart plugin, causing the code to instantiate objects with attacker‑supplied values. This can lead to arbitrary code execution and compromise the entire WordPress site. The weakness is classified as CWE‑502: Deserialization of Untrusted Data.

Affected Systems

The affected product is Chimpstudio Foodbakery Sticky Cart, a WordPress plugin intended to add a sticky cart feature. Versions from the earliest release through 3.2, inclusive, are vulnerable; newer releases contain a patch that removes the insecure deserialization.

Risk and Exploitability

The assigned CVSS score of 9.8 marks this issue as critical. The EPSS score of less than 1% suggests that, as of the last assessment, exploitation attempts are rare, yet the potential impact is severe. The vulnerability is not listed in the CISA KEV catalog, but organizations should not rely on this status for risk mitigation. Attackers are inferred to be able to inject data via HTTP requests that trigger deserialization within the plugin, and because the flaw arises from handling untrusted input, authentication is not strictly required, implying a potential for exploitation without prior access.

Generated by OpenCVE AI on April 30, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Foodbakery Sticky Cart plugin to the latest version, which removes the insecure deserialization logic.
  • If an upgrade is delayed, consider disabling the plugin until a patch is available.
  • Use a web application firewall or input sanitization layer to block or validate any serialized objects that may be passed to the plugin’s endpoints.

Generated by OpenCVE AI on April 30, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15779 Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through 3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through 3.2. Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart foodbakery-sticky-cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through <= 3.2.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 20:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through 3.2.
Title WordPress Foodbakery Sticky Cart plugin <= 3.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.365Z

Reserved: 2025-04-16T06:22:10.075Z

Link: CVE-2025-39356

cve-icon Vulnrichment

Updated: 2025-05-19T21:11:44.520Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T20:15:23.640

Modified: 2026-04-23T15:29:24.160

Link: CVE-2025-39356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses