CVE-2025-39527 - Vulnerability Details

- WordPress Rating by BestWebSoft plugin <= 1.7 - PHP Object Injection Vulnerability

Description

Deserialization of Untrusted Data vulnerability in bestweblayout Rating by BestWebSoft rating-bws allows Object Injection.This issue affects Rating by BestWebSoft: from n/a through <= 1.7.

Published: 2025-04-17

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The plugin deserializes untrusted input, allowing attackers to inject crafted PHP objects that are instantiated on the server. This results in server‑side code execution, compromising the integrity and confidentiality of the entire WordPress site, including its database and files.

Affected Systems

The vulnerability exists in the WordPress plugin "Rating by BestWebSoft" from any version through 1.7. Attackers can exploit any installation that has an outdated version of this plugin.

Risk and Exploitability

The base CVSS score of 8.8 indicates a high severity vulnerability. However, the EPSS score of less than 1% shows a currently very low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s ability to accept serialized data from user inputs, meaning a logged‑in user or a user able to influence that input could trigger the flaw. Exploitation requires that the attacker can provide the malicious serialized payload to the plugin’s deserialization routine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bestweblayout

Rating by BestWebSoft

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.7

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official plugin update to a version newer than 1.7
Disable the Rating by BestWebSoft plugin until the update is applied
Restrict user roles that can provide input to the plugin, and implement additional input validation or use security plugins to prevent serialized data injection

Generated by OpenCVE AI on May 1, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-11739	Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00336.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/rating-bws/vulnerability/wordpress-rating-by-bestwebsoft-1-7-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7.	Deserialization of Untrusted Data vulnerability in bestweblayout Rating by BestWebSoft rating-bws allows Object Injection.This issue affects Rating by BestWebSoft: from n/a through <= 1.7.
Title	WordPress Rating by BestWebSoft <= 1.7 - PHP Object Injection Vulnerability	WordPress Rating by BestWebSoft plugin <= 1.7 - PHP Object Injection Vulnerability
References	https://patchstack.com/database/wordpress/plugin/rating-bws/vulnerability/wordpress-rating-by-bestwebsoft-1-7-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/rating-bws/vulnerability/wordpress-rating-by-bestwebsoft-1-7-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 17 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 17 Apr 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7.
Title		WordPress Rating by BestWebSoft <= 1.7 - PHP Object Injection Vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/rating-bws/vulnerability/wordpress-rating-by-bestwebsoft-1-7-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-17T15:46:55.251Z

Updated: 2026-04-28T16:12:34.162Z

Reserved: 2025-04-16T06:24:32.684Z

Link: CVE-2025-39527

Vulnrichment

Updated: 2025-04-17T17:41:36.778Z

NVD

Status : Deferred

Published: 2025-04-17T16:15:56.637

Modified: 2026-04-23T15:29:43.897

Link: CVE-2025-39527

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T10:00:12Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object