CVE-2025-46473 - Vulnerability Details

- WordPress Social Counter plugin <= 2.0.5 - PHP Object Injection Vulnerability

Description

Deserialization of Untrusted Data vulnerability in Prisna Social Counter social-counter allows Object Injection.This issue affects Social Counter: from n/a through <= 2.0.5.

Published: 2025-04-24

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw that allows object injection. An attacker who can supply crafted serialized payloads to the Social Counter plugin can have the plugin instantiate malicious objects and execute arbitrary PHP code. The result can be a full compromise of the affected WordPress site; however, the CVE description does not specify whether authentication is required, so it is inferred that access to the vulnerable function is needed but the exact authentication requirements are unknown.

Affected Systems

WordPress users running the Prisna Social Counter plugin up to and including version 2.0.5 are impacted. No other versions or plugins are mentioned in the advisory.

Risk and Exploitability

The CVSS score of 7.2 indicates a high risk, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. Because the function that processes serialized data is exposed through the web interface, the likely attack vector is web‑based. The vulnerability is not listed in the CISA KEV catalog, so there is no known widespread exploitation at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Prisna

Social Counter

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.5

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Prisna Social Counter plugin to the latest version that is newer than 2.0.5.
If an upgrade is not available, remove the Social Counter plugin from the WordPress installation.
Ensure that the web application firewall or server configuration blocks or sanitizes any serialized input sent to the plugin’s endpoints, and monitor WP‑admin logs for suspicious activity.

Generated by OpenCVE AI on May 1, 2026 at 09:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-12060	Deserialization of Untrusted Data vulnerability in djjmz Social Counter allows Object Injection. This issue affects Social Counter: from n/a through 2.0.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00138.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/social-counter/vulnerability/wordpress-social-counter-2-0-5-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in djjmz Social Counter allows Object Injection. This issue affects Social Counter: from n/a through 2.0.5.	Deserialization of Untrusted Data vulnerability in Prisna Social Counter social-counter allows Object Injection.This issue affects Social Counter: from n/a through <= 2.0.5.
Title	WordPress Social Counter <= 2.0.5 - PHP Object Injection Vulnerability	WordPress Social Counter plugin <= 2.0.5 - PHP Object Injection Vulnerability
References	https://patchstack.com/database/wordpress/plugin/social-counter/vulnerability/wordpress-social-counter-2-0-5-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/social-counter/vulnerability/wordpress-social-counter-2-0-5-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 24 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 24 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in djjmz Social Counter allows Object Injection. This issue affects Social Counter: from n/a through 2.0.5.
Title		WordPress Social Counter <= 2.0.5 - PHP Object Injection Vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/social-counter/vulnerability/wordpress-social-counter-2-0-5-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-24T16:09:27.002Z

Updated: 2026-04-28T16:12:38.449Z

Reserved: 2025-04-24T14:22:38.654Z

Link: CVE-2025-46473

Vulnrichment

Updated: 2025-04-24T19:52:48.419Z

NVD

Status : Deferred

Published: 2025-04-24T16:15:38.123

Modified: 2026-04-23T15:30:03.950

Link: CVE-2025-46473

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object