CVE-2025-39503 - Vulnerability Details

- WordPress Goodlayers Hotel plugin <= 3.1.4 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel gdlr-hotel allows Object Injection.This issue affects Goodlayers Hotel: from n/a through <= 3.1.4.

Published: 2025-05-23

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is caused by insecure deserialization of untrusted data in the GoodLayers Goodlayers Hotel gdlr-hotel WordPress plugin. An attacker can inject PHP objects during deserialization, resulting in arbitrary code execution on the server. This leads to complete compromise of the affected site, affecting confidentiality, integrity, and availability.

Affected Systems

The plugin GoodLayers Goodlayers Hotel gdlr-hotel is affected. All releases from the initial launch up through version 3.1.4 contain the flaw, so any site running those versions must verify its plugin version and ensure it is updated.

Risk and Exploitability

The CVSS score of 9.8 classifies this issue as critical. The EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is inferred to involve the deserialization of user‑supplied data that the plugin accepts. If an attacker is able to provide crafted serialized PHP objects to this input, they can trigger execution of arbitrary code during object construction. The flaw does not require privileged credentials or specialized network exposure beyond standard access to the WordPress installation, so both remote and local contexts are feasible depending on how the plugin processes inputs.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GoodLayers

Goodlayers Hotel

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the GoodLayers Goodlayers Hotel gdlr-hotel plugin to a version newer than 3.1.4.
If an upgrade cannot be applied immediately, temporarily deactivate or remove the Goodlayers Hotel plugin to remove the deserialization entry point.
Implement strict input validation for any data that is deserialized by the plugin, ensuring only trusted content is processed or switching to a safer deserialization method.

Generated by OpenCVE AI on April 30, 2026 at 19:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-27967	Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection. This issue affects Goodlayers Hotel: from n/a through 3.1.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00369.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/gdlr-hotel/vulnerability/wordpress-goodlayers-hotel-plugin-3-1-4-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection. This issue affects Goodlayers Hotel: from n/a through 3.1.4.	Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel gdlr-hotel allows Object Injection.This issue affects Goodlayers Hotel: from n/a through <= 3.1.4.
References	https://patchstack.com/database/wordpress/plugin/gdlr-hotel/vulnerability/wordpress-goodlayers-hotel-plugin-3-1-4-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/gdlr-hotel/vulnerability/wordpress-goodlayers-hotel-plugin-3-1-4-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 23 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 May 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection. This issue affects Goodlayers Hotel: from n/a through 3.1.4.
Title		WordPress Goodlayers Hotel plugin <= 3.1.4 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/gdlr-hotel/vulnerability/wordpress-goodlayers-hotel-plugin-3-1-4-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-23T12:43:51.237Z

Updated: 2026-04-28T16:12:32.965Z

Reserved: 2025-04-16T06:24:15.129Z

Link: CVE-2025-39503

Vulnrichment

Updated: 2025-05-23T13:41:07.208Z

NVD

Status : Deferred

Published: 2025-05-23T13:15:31.940

Modified: 2026-04-23T15:29:41.180

Link: CVE-2025-39503

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object