Description
Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce coinpayments-payment-gateway-for-woocommerce allows Object Injection.This issue affects CoinPayments.net Payment Gateway for WooCommerce: from n/a through <= 1.0.17.
Published: 2025-05-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by deserialization of arbitrary data in the CoinPayments.net Payment Gateway for WooCommerce plugin. An attacker can craft a malicious serialized payload that, when processed by the plugin, instantiates objects with arbitrary properties and triggers the execution of arbitrary PHP code. This flaw, classified as CWE‑502, enables a determined adversary to compromise the confidentiality, integrity, and availability of the affected WordPress site. The CVSS score of 9.8 reflects the high potential impact of remote code execution.

Affected Systems

The affected product is CoinPayments.net Payment Gateway for WooCommerce for WordPress. Versions from the first released build up through 1.0.17 are vulnerable; no minimum version is specified, meaning any installation of this plugin up to 1.0.17 is at risk.

Risk and Exploitability

The EPSS score is below 1%, indicating that while the probability of exploitation is low, the high CVSS score still demands attention. The plugin is not listed in the CISA KEV catalog, so no public exploit is currently documented. The likely attack vector is via a crafted HTTP request to the plugin’s endpoints that carries untrusted serialized data; it is inferred that the plugin may accept such input from unauthenticated or low‑privilege users, making the flaw exploitable without explicit access rights.

Generated by OpenCVE AI on April 30, 2026 at 12:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CoinPayments.net Payment Gateway for WooCommerce to version 1.0.18 or later.
  • If an upgrade cannot be performed immediately, disable or remove the plugin from the WordPress installation to prevent exploitation.
  • Configure a web application firewall or input validation rule to block or sanitize any unserialized data that could be supplied to the plugin’s endpoints.

Generated by OpenCVE AI on April 30, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28092 Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection. This issue affects CoinPayments.net Payment Gateway for WooCommerce: from n/a through 1.0.17.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection. This issue affects CoinPayments.net Payment Gateway for WooCommerce: from n/a through 1.0.17. Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce coinpayments-payment-gateway-for-woocommerce allows Object Injection.This issue affects CoinPayments.net Payment Gateway for WooCommerce: from n/a through <= 1.0.17.
Title WordPress CoinPayments.net Payment Gateway for WooCommerce <= 1.0.17 - PHP Object Injection Vulnerability WordPress CoinPayments.net Payment Gateway for WooCommerce plugin <= 1.0.17 - PHP Object Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection. This issue affects CoinPayments.net Payment Gateway for WooCommerce: from n/a through 1.0.17.
Title WordPress CoinPayments.net Payment Gateway for WooCommerce <= 1.0.17 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:20:35.926Z

Reserved: 2025-05-07T09:39:46.952Z

Link: CVE-2025-47532

cve-icon Vulnrichment

Updated: 2025-05-23T16:00:58.414Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:39.057

Modified: 2026-04-23T15:30:26.077

Link: CVE-2025-47532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:30:16Z

Weaknesses