Description
Deserialization of Untrusted Data vulnerability in Tijmen Smit WP Store Locator wp-store-locator allows Object Injection.This issue affects WP Store Locator: from n/a through <= 2.2.260.
Published: 2025-10-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the WordPress WP Store Locator plugin allows attackers to inject arbitrary PHP objects. This object injection can lead to remote code execution on the web server that hosts the site. The flaw is a classic Deserialization of Untrusted Data weakness (CWE‑502) where unsanitized input is passed to PHP's unserialize() function, creating a high impact attack surface.

Affected Systems

The vulnerability affects all installations of the WP Store Locator plugin up to and including version 2.2.260. Users running any WordPress site with this plugin, regardless of the theme or other plugins, may be impacted. The issue is present from the first available version through 2.2.260.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and the EPSS score of less than 1% shows a low exploitation probability at the current time. The weakness is classed as a PHP Object Injection, which an attacker could trigger by supplying crafted serialized data via any input that the plugin processes. While it is not listed in the CISA KEV catalog, the potential for arbitrary code execution makes it a critical threat, especially for exposed websites. Basic defensive checks such as input validation or sandboxing are insufficient; an exploit would most likely succeed through the normal administrative or front‑end interfaces that accept serialized data.

Generated by OpenCVE AI on April 29, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest non‑vulnerable release of the WP Store Locator plugin (any version newer than 2.2.260).
  • If an update cannot be applied immediately, deactivate or uninstall the plugin to prevent exploitation.
  • Implement a Web Application Firewall rule to reject crafted serialized payloads targeting the plugin endpoint.

Generated by OpenCVE AI on April 29, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Tijmen Smit WP Store Locator wp-store-locator allows Object Injection.This issue affects WP Store Locator: from n/a through <= 2.2.260.
Title WordPress WP Store Locator plugin <= 2.2.260 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:01:40.317Z

Reserved: 2025-06-19T10:02:47.062Z

Link: CVE-2025-52737

cve-icon Vulnrichment

Updated: 2025-10-22T19:19:26.873Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:43.837

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses