Description
Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5.
Published: 2025-08-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross-site request forgery flaw that permits an attacker to trigger PHP object injection in the ServerBuddy plugin. By sending a forged request that the plugin does not properly verify, an attacker can induce the plugin to instantiate arbitrary PHP objects. In a typical PHP environment, such manipulation can lead to execution of arbitrary code, enabling full compromise of the affected WordPress installation.

Affected Systems

The issue impacts the iThemes: ServerBuddy plugin by PluginBuddy.com, specifically all releases from the earliest available version up to and including 1.0.5. No later versions appear to be affected, but the affected range extends to 1.0.5 as the last known vulnerable release.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploit attempts are unlikely to be widespread at present. The vulnerability is not listed in CISA’s KEV catalog, reinforcing that it is not a known active exploit. The likely attack vector is via a web-based CSRF attack, requiring the victim to be a user with rights to trigger the affected plugin action, often an administrator. Once the CSRF request is executed, the injected PHP object can lead to remote code execution.

Generated by OpenCVE AI on April 30, 2026 at 08:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ServerBuddy to a version newer than 1.0.5, if one is available from the vendor.
  • Deactivate or uninstall the plugin if it is not required for site operation.
  • If the plugin must remain active and no newer release exists, add a nonce or CSRF token check to all plugin actions to prevent unauthorized request execution.

Generated by OpenCVE AI on April 30, 2026 at 08:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25056 Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in iThemes School Management school-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through <= 93.2.0. Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5.
Title WordPress School Management Plugin <= 93.2.0 - Broken Access Control Vulnerability WordPress ServerBuddy by PluginBuddy.com plugin <= 1.0.5 - CSRF to PHP Object Injection vulnerability
Weaknesses CWE-352
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5. Missing Authorization vulnerability in iThemes School Management school-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through <= 93.2.0.
Title WordPress ServerBuddy by PluginBuddy.com plugin <= 1.0.5 - CSRF to PHP Object Injection vulnerability WordPress School Management Plugin <= 93.2.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 18 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ithemes
Ithemes serverbuddy
Wordpress
Wordpress wordpress
Vendors & Products Ithemes
Ithemes serverbuddy
Wordpress
Wordpress wordpress

Mon, 18 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 16 Aug 2025 03:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5.
Title WordPress ServerBuddy by PluginBuddy.com plugin <= 1.0.5 - CSRF to PHP Object Injection vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Ithemes Serverbuddy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:07.331Z

Reserved: 2025-06-11T16:06:34.446Z

Link: CVE-2025-49895

cve-icon Vulnrichment

Updated: 2025-08-18T13:56:26.363Z

cve-icon NVD

Status : Deferred

Published: 2025-08-16T03:15:25.677

Modified: 2026-04-28T19:33:11.190

Link: CVE-2025-49895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:00:19Z

Weaknesses