CVE-2025-47660 - Vulnerability Details

- WordPress WC Affiliate plugin <= 2.16 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate wc-affiliate allows Object Injection.This issue affects WC Affiliate: from n/a through <= 2.16.

Published: 2025-05-23

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Deserialization of untrusted data allows arbitrary PHP object injection, a critical flaw in the WC Affiliate plugin. This improper handling of serialized input can lead to arbitrary code execution, compromising confidentiality, integrity and availability of the affected WordPress site. The weakness is represented by CWE‑502, highlighting insecure deserialization.

Affected Systems

The flaw exists in Codexpert, Inc’s WC Affiliate plugin for WordPress versions with the plugin set to 2.16 or earlier. Site administrators using these product releases should verify which version is installed.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector involves the delivery of crafted serialized objects through the plugin's endpoints or other input mechanisms. The CVSS score of 8.8 signals high severity. Although the EPSS score is below 1 %, indicating a low probability of exploitation, the vulnerability remains a significant risk because it can be leveraged remotely if an attacker submits a crafted payload. The flaw is not listed in CISA KEV, but its impact warrants immediate attention. Adversaries could deliver malicious serialized objects via plugin endpoints or other input mechanisms to gain control over the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Codexpert, Inc

WC Affiliate

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.16

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest version of the WC Affiliate plugin, which removes the deserialization vulnerability.
If an upgrade cannot be performed immediately, disable or deactivate the plugin to prevent exploitation.
Monitor traffic for anomalous serialized payloads and configure a web application firewall to block suspicious requests.

Generated by OpenCVE AI on May 1, 2026 at 08:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-28112	Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection. This issue affects WC Affiliate: from n/a through 2.9.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00336.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/wc-affiliate/vulnerability/wordpress-wc-affiliate-2-8-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection. This issue affects WC Affiliate: from n/a through 2.9.1.	Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate wc-affiliate allows Object Injection.This issue affects WC Affiliate: from n/a through <= 2.16.
Title	WordPress WC Affiliate <= 2.9.1 - PHP Object Injection Vulnerability	WordPress WC Affiliate plugin <= 2.16 - PHP Object Injection vulnerability
References	https://patchstack.com/database/wordpress/plugin/wc-affiliate/vulnerability/wordpress-wc-affiliate-2-8-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/wc-affiliate/vulnerability/wordpress-wc-affiliate-2-8-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 27 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 May 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection. This issue affects WC Affiliate: from n/a through 2.9.1.
Title		WordPress WC Affiliate <= 2.9.1 - PHP Object Injection Vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/wc-affiliate/vulnerability/wordpress-wc-affiliate-2-8-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-23T12:43:22.575Z

Updated: 2026-04-28T16:12:48.580Z

Reserved: 2025-05-07T10:45:20.228Z

Link: CVE-2025-47660

Vulnrichment

Updated: 2025-05-27T14:14:09.230Z

NVD

Status : Deferred

Published: 2025-05-23T13:15:42.200

Modified: 2026-04-23T15:30:41.917

Link: CVE-2025-47660

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object