Description
Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Universam plugin for WordPress contains a deserialization flaw that allows untrusted data to be processed as PHP objects. This PHP Object Injection vulnerability can enable an attacker to inject arbitrary objects, which may lead to execution of malicious code on the web server. The weakness is formally classified as CWE-502, Deserialization of Untrusted Data.

Affected Systems

This issue affects the Universam WordPress plugin, specifically all releases from the earliest available version through version 9.04.02.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is considered critical. The EPSS score of less than 1% indicates that, as of now, the probability of observed exploitation is low, yet the impact remains severe if exploited. The vulnerability is not present in CISA’s KEV catalog, meaning no confirmed widespread exploits have been reported, but the remote attack vector is inferred to involve sending a crafted serialized payload to an endpoint that accepts untrusted input from the Universam plugin.

Generated by OpenCVE AI on April 29, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Universam plugin update (9.04.03 or newer) to eliminate the deserialization flaw.
  • If updating immediately is not possible, disable or uninstall the Universam plugin to stop processing untrusted data.
  • Deploy a Web Application Firewall or enable input filtering to detect and block suspicious serialized payloads targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 29, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.03. Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02.
Title WordPress UNIVERSAM plugin <= 9.03 - PHP Object Injection vulnerability WordPress UNIVERSAM plugin <= 9.04.02 - PHP Object Injection vulnerability

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 8.72.34. Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.03.
Title WordPress UNIVERSAM plugin <= 8.72.34 - PHP Object Injection vulnerability WordPress UNIVERSAM plugin <= 9.03 - PHP Object Injection vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 8.72.34.
Title WordPress UNIVERSAM plugin <= 8.72.34 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:58.544Z

Reserved: 2025-09-25T15:34:39.168Z

Link: CVE-2025-60238

cve-icon Vulnrichment

Updated: 2025-10-24T12:54:45.614Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:00.377

Modified: 2026-04-23T15:34:24.780

Link: CVE-2025-60238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:45:16Z

Weaknesses