Description
Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This issue affects WP Funnel Manager: from n/a through <= 1.4.0.
Published: 2025-08-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability involves unsafe deserialization of untrusted data, enabling an attacker to perform object injection. The flawed deserialization routine in the WP Funnel Manager plugin can be exploited to instantiate arbitrary PHP objects, which may then trigger sensitive internal operations or code execution. Because the deserialization occurs with insufficient validation, an attacker can supply a crafted payload that leads to arbitrary code execution, exposing the entire web application to compromise.

Affected Systems

The issue affects the WP Funnel Manager WordPress plugin from its earliest release up to and including version 1.4.0. Any WordPress site that has this plugin installed without a newer version is vulnerable. Site administrators must verify the plugin version and the hosting environment that could facilitate the injection payload.

Risk and Exploitability

With a CVSS score of 9.8, this flaw is considered critical, and it is inferred that the vulnerability may be triggered via HTTP requests targeting the plugin’s data processing functions. The EPSS score of less than 1% suggests that widespread exploitation has not yet been observed, but the high severity means that once a valid exploit vector is discovered, the risk is extreme and the attack requires only legitimate input to the plugin. The vulnerability is not presently in the CISA KEV catalog, so no known active exploits have been recorded as of this analysis.

Generated by OpenCVE AI on May 1, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Funnel Manager plugin to the latest version that removes the vulnerable deserialization logic.
  • If an update is not immediately available, temporarily deactivate or uninstall the plugin to eliminate the attack surface.
  • Apply a web application firewall rule to block requests that contain serialized PHP objects or suspicious payload patterns targeting the plugin’s endpoints.
  • Ensure the plugin’s data files have restrictive permissions and are stored in a non‑executable directory to prevent unauthorized code injection.

Generated by OpenCVE AI on May 1, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26006 Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection. This issue affects WP Funnel Manager: from n/a through 1.4.0.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Title WordPress WP Funnel Manager plugin <= 1.4.0 - PHP Object Injection vulnerability WordPress WP Funnel Manager Plugin <= 1.4.0 - PHP Object Injection Vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Title WordPress WP Funnel Manager Plugin <= 1.4.0 - PHP Object Injection Vulnerability WordPress WP Funnel Manager plugin <= 1.4.0 - PHP Object Injection vulnerability
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection. This issue affects WP Funnel Manager: from n/a through 1.4.0. Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This issue affects WP Funnel Manager: from n/a through <= 1.4.0.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection. This issue affects WP Funnel Manager: from n/a through 1.4.0.
Title WordPress WP Funnel Manager Plugin <= 1.4.0 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:18.370Z

Reserved: 2025-06-19T10:03:02.783Z

Link: CVE-2025-52761

cve-icon Vulnrichment

Updated: 2025-08-28T18:55:47.888Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:00.483

Modified: 2026-04-23T15:32:07.780

Link: CVE-2025-52761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses