Description
Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve wc-pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through <= 1.6.9.
Published: 2025-05-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a PHP object injection vulnerability arising from deserialization of untrusted data within the Pagaleve Pix 4x sem juros WordPress plugin, allowing an attacker to inject malicious serialized objects. The weakness is classified as CWE-502: Deserialization of Untrusted Data. The vulnerability may enable arbitrary code execution on the server, which could result in full compromise of the affected WordPress site, but this is inferred from the description.

Affected Systems

Any installation of the Pagaleve Pix 4x sem juros – Pagaleve plugin running version 1.6.9 or earlier is affected. The vendor references versions from unknown through 1.6.9 as vulnerable, with no other products or vendors listed.

Risk and Exploitability

The CVSS score of 9.8 reflects extreme severity, while the EPSS score of fewer than 1% indicates a low current exploitation likelihood. The vulnerability is not present in the CISA KEV catalog. Based on the description, it is inferred that exploitation would involve sending a crafted serialized payload to an endpoint that processes user input, allowing an attacker to achieve remote code execution or system takeover.

Generated by OpenCVE AI on May 1, 2026 at 08:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pagaleve Pix 4x sem juros plugin to version 2.0 or later, or the latest release that eliminates the deserialization issue.
  • If an upgrade cannot be performed immediately, disable or delete the plugin from the WordPress installation to block further exploitation.
  • Configure a web application firewall or input‑validation layer to reject or sanitize serialized data that may be passed to the plugin’s deserialization functions.

Generated by OpenCVE AI on May 1, 2026 at 08:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28201 Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through 1.6.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through 1.6.9. Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve wc-pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through <= 1.6.9.
Title WordPress Pix 4x sem juros - Pagaleve <= 1.6.9 - PHP Object Injection Vulnerability WordPress Pix 4x sem juros - Pagaleve plugin <= 1.6.9 - PHP Object Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros &#8211; Pagaleve allows Object Injection. This issue affects Pix 4x sem juros &#8211; Pagaleve: from n/a through 1.6.9. Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through 1.6.9.
Title WordPress Pix 4x sem juros – Pagaleve <= 1.6.9 - PHP Object Injection Vulnerability WordPress Pix 4x sem juros - Pagaleve <= 1.6.9 - PHP Object Injection Vulnerability

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros &#8211; Pagaleve allows Object Injection. This issue affects Pix 4x sem juros &#8211; Pagaleve: from n/a through 1.6.9.
Title WordPress Pix 4x sem juros – Pagaleve <= 1.6.9 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:55.336Z

Reserved: 2025-05-19T14:13:30.916Z

Link: CVE-2025-48287

cve-icon Vulnrichment

Updated: 2025-05-23T14:53:20.732Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:44.740

Modified: 2026-04-23T15:31:02.190

Link: CVE-2025-48287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses