Description
The Glossary by WPPedia – Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted input from the 'posttypes' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2025-05-21
Score: 7.2 High
EPSS: 1.4% Low
KEV: No
Impact: Authenticated PHP Object Injection
Action: Patch
AI Analysis

Impact

The vulnerability allows authenticated administrators to cause the plugin to deserialize untrusted \'posttypes\' input, creating a PHP Object Injection vector. While the plugin itself contains no known exploitation chain, the ability to inject arbitrary objects opens the door for more destructive actions when combined with a POP chain from other plugins or themes. Attackers could delete files, read sensitive data, or execute code if such a chain is present.

Affected Systems

The flaw affects the WordPress plugin \'Glossary by WPPedia – Best Glossary plugin for WordPress\' versions up to 1.3.0. Users running any of those releases on a WordPress site with an administrator or higher role are potentially exposed.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of 1% points to a low but non‑zero likelihood of exploitation. The vulnerability requires administrative access and a pre‑existing PHP object injection chain from another component; consequently, the actual risk is moderate. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glossary by WPPedia to the latest patched version that removes the vulnerable deserialization logic.
  • If an upgrade cannot be performed immediately, restrict or disable access to the \'posttypes\' functionality for administrators, or employ a web application firewall that blocks unserialized payloads submitted to the plugin.
  • Verify that no other installed plugins or themes contain a PHP object injection chain; remove or update any such components until the core plugin is patched.

Generated by OpenCVE AI on April 21, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16073 The Glossary by WPPedia – Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted input from the 'posttypes' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
History

Wed, 21 May 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Glossary by WPPedia – Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted input from the 'posttypes' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Glossary by WPPedia <= 1.3.0 - Authenticated (Administrator+) PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:13.104Z

Reserved: 2025-05-15T23:37:06.569Z

Link: CVE-2025-4803

cve-icon Vulnrichment

Updated: 2025-05-21T10:12:33.238Z

cve-icon NVD

Status : Deferred

Published: 2025-05-21T12:16:23.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses