Description
Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action Woo-product-multiaction allows Object Injection.This issue affects WooCommerce Product Multi-Action: from n/a through <= 1.3.
Published: 2025-07-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WooCommerce Product Multi-Action plugin allows an attacker to inject arbitrary objects through deserialization of untrusted data. This Object Injection flaw can lead to execution of malicious code on the server, resulting in full compromise of the WordPress site, data theft, and site sabotage. The weakness is identified as CWE‑502 and is represented in the plugin’s code by accepting serialized payloads without proper validation.

Affected Systems

All installations of BestWpDeveloper's WooCommerce Product Multi-Action plugin with versions up to and including 1.3 are affected. The vulnerability applies to any WordPress site using this plugin, regardless of other plugins or themes present.

Risk and Exploitability

The weakness carries a CVSS score of 9.8 and an EPSS score of less than 1%, indicating that while the severity is critical, the likelihood of exploitation in the wild is low at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‐based, where adversaries can send crafted serialized data through plugin endpoints or administrative forms. If successful, an attacker could gain complete control over the affected site.

Generated by OpenCVE AI on April 30, 2026 at 09:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Product Multi-Action plugin to the latest version (v1.4 or newer) to remove the deserialization flaw.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to eliminate the attack surface.
  • Verify input handling in the plugin’s code to reject any serialized data from untrusted sources, and apply any custom security hardening that mitigates object injection.

Generated by OpenCVE AI on April 30, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20009 Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action allows Object Injection. This issue affects WooCommerce Product Multi-Action: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action allows Object Injection. This issue affects WooCommerce Product Multi-Action: from n/a through 1.3. Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action Woo-product-multiaction allows Object Injection.This issue affects WooCommerce Product Multi-Action: from n/a through <= 1.3.
Title WordPress WooCommerce Product Multi-Action <= 1.3 - Deserialization of untrusted data Vulnerability WordPress WooCommerce Product Multi-Action plugin <= 1.3 - Deserialization of untrusted data Vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action allows Object Injection. This issue affects WooCommerce Product Multi-Action: from n/a through 1.3.
Title WordPress WooCommerce Product Multi-Action <= 1.3 - Deserialization of untrusted data Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.120Z

Reserved: 2025-06-04T15:44:22.452Z

Link: CVE-2025-49417

cve-icon Vulnrichment

Updated: 2025-07-08T13:59:53.364Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:31.003

Modified: 2026-04-23T15:31:38.780

Link: CVE-2025-49417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:00:16Z

Weaknesses