CVE-2025-47536 - Vulnerability Details

- WordPress Content Egg plugin <= 7.0.0 - PHP Object Injection Vulnerability

Description

Deserialization of Untrusted Data vulnerability in keywordrush Content Egg content-egg allows Object Injection.This issue affects Content Egg: from n/a through <= 7.0.0.

Published: 2025-08-14

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Deserialization of untrusted data within the Content Egg plugin enables PHP Object Injection, allowing an attacker to craft crafted serialized objects that may result in arbitrary code execution or other destructive actions if the injected object triggers malicious PHP code. This weakness is classified as CWE‑502 and can compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The vulnerability exists in the Content Egg plugin for WordPress provided by Keywordrush, affecting all releases from the earliest version up through version 7.0.0. Users running any of these versions are therefore exposed.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1 % suggests a low current likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Likely exploitation would occur via a web-based attack path where an attacker can supply serialized data to the plugin, typically through unauthenticated or authenticated input forms provided by the plugin.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

keywordrush

Content Egg

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.0.0

No data.

Vendor	Product	Confidence	Versions
Keywordrush	Content Egg	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Content Egg plugin update that fixes the deserialization flaw
If an update is unavailable, temporarily disable the Content Egg plugin until a patch is released
Ensure that any data deserialized by the plugin is validated and sanitized before use

Generated by OpenCVE AI on April 30, 2026 at 09:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-24747	Deserialization of Untrusted Data vulnerability in keywordrush Content Egg allows Object Injection. This issue affects Content Egg: from n/a through 7.0.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00149.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/content-egg/vulnerability/wordpress-content-egg-7-0-0-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in keywordrush Content Egg allows Object Injection. This issue affects Content Egg: from n/a through 7.0.0.	Deserialization of Untrusted Data vulnerability in keywordrush Content Egg content-egg allows Object Injection.This issue affects Content Egg: from n/a through <= 7.0.0.
References	https://patchstack.com/database/wordpress/plugin/content-egg/vulnerability/wordpress-content-egg-7-0-0-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/content-egg/vulnerability/wordpress-content-egg-7-0-0-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 14 Aug 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 Aug 2025 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Keywordrush Keywordrush content Egg Wordpress Wordpress wordpress
Vendors & Products		Keywordrush Keywordrush content Egg Wordpress Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in keywordrush Content Egg allows Object Injection. This issue affects Content Egg: from n/a through 7.0.0.
Title		WordPress Content Egg plugin <= 7.0.0 - PHP Object Injection Vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/content-egg/vulnerability/wordpress-content-egg-7-0-0-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Keywordrush Content Egg

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-08-14T10:34:25.579Z

Updated: 2026-04-28T16:12:44.509Z

Reserved: 2025-05-07T09:39:46.952Z

Link: CVE-2025-47536

Vulnrichment

Updated: 2025-08-14T19:35:08.019Z

NVD

Status : Deferred

Published: 2025-08-14T11:15:34.520

Modified: 2026-04-23T15:30:26.543

Link: CVE-2025-47536

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T09:15:28Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object