Description
Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition small-package-quotes-usps-edition allows Object Injection.This issue affects Small Package Quotes – USPS Edition: from n/a through <= 1.3.9.
Published: 2025-08-27
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin deserializes data from untrusted sources, allowing attackers to inject PHP objects and ultimately execute arbitrary code. This flaw is classified as a deserialization error (CWE‑502) and can lead to full compromise of the WordPress instance, including data theft, defacement, or lateral movement.

Affected Systems

The vulnerability affects the WordPress plugin "Small Package Quotes – USPS Edition" produced by enituretechnology, versions from the initial release through 1.3.9. Any site with one of these versions installed is at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity, while the EPSS score of less than 1 % suggests low exploitation probability currently. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires an attacker to deliver a crafted serialized payload that the plugin unserializes; this can be done through any input the plugin accepts, such as form fields or API endpoints that pass unchecked data to PHP's unserialize function. Successful exploitation would provide the attacker with the ability to run arbitrary code on the hosting server.

Generated by OpenCVE AI on April 30, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the Small Package Quotes – USPS Edition plugin until an official fix is available.
  • Block or intercept calls to PHP’s unserialize function in the affected plugin’s code or overall site configuration.
  • Check the vendor’s official support channels or website for update announcements and apply any released fix when it becomes available.

Generated by OpenCVE AI on April 30, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25917 Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition allows Object Injection. This issue affects Small Package Quotes – USPS Edition: from n/a through 1.3.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition allows Object Injection. This issue affects Small Package Quotes – USPS Edition: from n/a through 1.3.9. Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition small-package-quotes-usps-edition allows Object Injection.This issue affects Small Package Quotes – USPS Edition: from n/a through <= 1.3.9.
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 27 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition allows Object Injection. This issue affects Small Package Quotes – USPS Edition: from n/a through 1.3.9.
Title WordPress Small Package Quotes – USPS Edition Plugin <= 1.3.9 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:42.365Z

Reserved: 2025-08-27T16:19:19.005Z

Link: CVE-2025-58218

cve-icon Vulnrichment

Updated: 2025-08-27T18:03:19.165Z

cve-icon NVD

Status : Deferred

Published: 2025-08-27T18:15:50.127

Modified: 2026-04-23T15:33:19.530

Link: CVE-2025-58218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses