Description
Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12.
Published: 2025-05-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the WP Tabs plugin allows PHP object injection, a weakness that could enable an attacker to instantiate malicious objects and execute arbitrary code on the server. The flaw is a typical CWE‑502 (Deserialization of Untrusted Data) and can compromise confidentiality, integrity, and availability of the affected WordPress site if exploited.

Affected Systems

The ShapedPlugin LLC WordPress widget WP Tabs (wp‑expand‑tabs‑free) is affected. Any installation running version 2.2.12 or older is vulnerable; versions up to and including 2.2.12 are listed as impacted.

Risk and Exploitability

The CVSS score of 7.2 labels the vulnerability as high severity. Its EPSS score of less than 1% indicates a very low probability of exploitation at present. The vulnerability is not included in the CISA KEV catalog. The likely attack vector is through the WordPress interface that accepts untrusted input, where an attacker could craft data that triggers the unserialize logic. If the action is not mitigated, the risk of achieving remote code execution remains significant.

Generated by OpenCVE AI on April 30, 2026 at 12:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Tabs plugin to version 2.2.13 or later.
  • If an immediate upgrade is not possible, disable or delete the WP Tabs plugin to block exploitation.
  • Review other WordPress plugins for unserialize usage on untrusted data and apply necessary patches or updates.

Generated by OpenCVE AI on April 30, 2026 at 12:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15515 Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection. This issue affects WP Tabs: from n/a through 2.2.11.
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection. This issue affects WP Tabs: from n/a through 2.2.11. Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12.
Title WordPress WP Tabs <= 2.2.11 - PHP Object Injection Vulnerability WordPress WP Tabs plugin <= 2.2.12 - PHP Object Injection Vulnerability
References

Fri, 30 May 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Shapedplugin
Shapedplugin wp Tabs
CPEs cpe:2.3:a:shapedplugin:wp_tabs:*:*:*:*:*:wordpress:*:*
Vendors & Products Shapedplugin
Shapedplugin wp Tabs

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs allows Object Injection. This issue affects WP Tabs: from n/a through 2.2.11.
Title WordPress WP Tabs <= 2.2.11 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shapedplugin Wp Tabs
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:16:37.798Z

Reserved: 2025-05-15T18:01:40.431Z

Link: CVE-2025-48134

cve-icon Vulnrichment

Updated: 2025-05-16T16:23:41.888Z

cve-icon NVD

Status : Modified

Published: 2025-05-16T16:15:45.100

Modified: 2026-04-23T15:30:51.570

Link: CVE-2025-48134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:00:13Z

Weaknesses