Description
Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the WPBot Pro Wordpress Chatbot plugin permits PHP object injection, a form of code injection that can allow an attacker to execute arbitrary PHP code on a WordPress site. This weakness is classified as CWE-502 and is the main root of the vulnerability. An attacker who can trigger a deserialization event can gain full control of the affected web server, potentially leading to data exfiltration, site defacement, or the deployment of additional malicious payloads.

Affected Systems

The issue affects the QuantumCloud WPBot Pro Wordpress Chatbot plugin for WordPress versions 12.7.0 and earlier. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 9.8 marks this vulnerability as critical, yet the EPSS score of < 1% indicates that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote through a crafted HTTP request that causes the plugin to deserialize untrusted input. An attacker would need to send specially crafted data that reaches the deserialization routine, which is possible via public plugin interfaces such as chat or form submissions.

Generated by OpenCVE AI on April 30, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPBot Pro plugin to the latest released version that removes the vulnerable deserialization logic.
  • If an upgrade cannot be performed immediately, disable the plugin to eliminate the deserialization entry point until the patch is available.
  • Restrict or monitor any endpoints or form inputs that could trigger serialization and deserialization within the plugin while waiting for a patch.

Generated by OpenCVE AI on April 30, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28098 Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot wpbot-pro allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through <= 12.7.0. Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0. Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot wpbot-pro allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through <= 12.7.0.
References

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 18:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.
Title WordPress WPBot Pro Wordpress Chatbot <= 12.7.0 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:45.916Z

Reserved: 2025-05-07T09:55:31.578Z

Link: CVE-2025-47582

cve-icon Vulnrichment

Updated: 2025-05-19T18:18:33.580Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T18:15:30.960

Modified: 2026-04-28T19:32:26.770

Link: CVE-2025-47582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses