Description
Deserialization of Untrusted Data vulnerability in quantumcloud KBx Pro Ultimate knowledgebase-helpdesk-pro allows Object Injection.This issue affects KBx Pro Ultimate: from n/a through <= 8.0.5.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw arising from deserialization of untrusted data in the quantumcloud KBx Pro Ultimate WordPress plugin. This issue, classified under CWE‑502, allows an attacker to manipulate the serialized payload executed by the plugin, potentially enabling the injection of arbitrary objects and execution of arbitrary code. If exploited, the attacker could compromise the confidentiality, integrity, and availability of the hosting server and any data processed through the plugin.

Affected Systems

Quantumcloud’s KBx Pro Ultimate plugin, versions from n/a through 8.0.5, is affected. The vulnerability is present in the plugin’s handling of deserialized input without proper validation.

Risk and Exploitability

The CVSS score of 9.8 demonstrates a critical severity level. The EPSS score is reported as < 1 %, indicating a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves submitting a crafted serialized payload via a web request to the plugin’s deserialization endpoint, which, if successful, could lead to remote code execution. No explicit mitigations are documented beyond patching, so the risk remains high if the plugin remains installed and unpatched.

Generated by OpenCVE AI on April 29, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update KBx Pro Ultimate to version 8.0.6 or later to remediate the Object Injection flaw.
  • If an update is not immediately possible, remove or deactivate the plugin to prevent exposure to the vulnerable code path.
  • As a temporary protective measure, configure a web application firewall to block requests containing serialized PHP objects or other suspicious payload patterns.

Generated by OpenCVE AI on April 29, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in quantumcloud KBx Pro Ultimate knowledgebase-helpdesk-pro allows Object Injection.This issue affects KBx Pro Ultimate: from n/a through <= 8.0.5.
Title WordPress KBx Pro Ultimate plugin <= 8.0.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:43:20.002Z

Reserved: 2025-09-25T15:34:39.168Z

Link: CVE-2025-60232

cve-icon Vulnrichment

Updated: 2025-10-24T12:56:17.526Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:00.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:30:15Z

Weaknesses