Description
Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization flaw that permits object injection when untrusted data is processed by the WooCommerce Vehicle Parts Finder plugin. An attacker who can supply crafted serialized input could cause the plugin to instantiate arbitrary PHP objects, leading to arbitrary code execution on the web server. The flaw resides in the plugin's handling of serialized data during normal operation and could be leveraged in a manner that compromises the confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The flaw affects the WooCommerce Vehicle Parts Finder plugin from wpinstinct, versions up to and including 3.7. Sites that use this plugin without applying the latest update are at risk. No other vendors or products are affected according to the CNA.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, yet the EPSS score is below 1%, suggesting that widespread exploitation has not been observed. The vulnerability is not yet listed in the CISA KEV catalog. Attackers would likely target the plugin via HTTP requests that deliver serialized data; however, the exact entry point is not specified in the advisory, so the vector is inferred.

Generated by OpenCVE AI on April 30, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Vehicle Parts Finder plugin to version 3.8 or later, which removes the deserialization flaw.
  • If an upgrade is not immediately possible, disable or uninstall the plugin to eliminate the vulnerable code path.
  • Monitor server logs for unexpected serialized input or failed login attempts as a precaution against exploitation.

Generated by OpenCVE AI on April 30, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpinstinct
Wpinstinct woocommerce Vehicle Parts Finder
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpinstinct
Wpinstinct woocommerce Vehicle Parts Finder

Wed, 22 Oct 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.
Title WordPress WooCommerce Vehicle Parts Finder plugin <= 3.7 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Wpinstinct Woocommerce Vehicle Parts Finder
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:02.695Z

Reserved: 2025-06-04T09:42:56.995Z

Link: CVE-2025-49380

cve-icon Vulnrichment

Updated: 2025-10-22T20:13:56.404Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:35.967

Modified: 2026-04-27T20:16:14.687

Link: CVE-2025-49380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:00:12Z

Weaknesses