Description
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2025-10-03
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Object Instantiation via a shortcode that an authenticated Contributor can use can lead to code execution if a POStionally-Overridden-Object (POP) chain is present on the site
Action: Assess Impact
AI Analysis

Impact

The vulnerability allows a contributor or higher level user to submit untrusted input to the wpt_schema_breadcrumbs shortcode, which the plugin unserializes without proper validation. This causes PHP object instantiation that can be controlled by the attacker. While the plugin itself has no built‑in POStionally-Overridden-Object chain, the potential for severe impact is realized only when an additional plugin or theme contains such a chain. When that condition is met, the attacker could delete files, exfiltrate data, or execute arbitrary code depending on the chain exposed.

Affected Systems

The affected vendor is wpt00ls and the product is Schema Plugin For Divi, Gutenberg & Shortcodes. Versions up to and including 4.3.2 are vulnerable. No further version information is provided, so any release equal to or earlier than 4.3.2 is at risk.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity whose impact is limited by the need for a supplemental POP chain. The EPSS score of < 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, authenticated attackers with Contributor privileges can instantiate objects via the shortcode; if a compatible POP chain is present, they may achieve file deletion, data theft, or code execution. The likely attack vector is authenticated, and the vulnerability requires that a POStionally-Overridden-Object chain be available on the target site.

Generated by OpenCVE AI on April 20, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the plugin’s official source or WordPress plugin repository for an update that addresses the deserialization flaw and upgrade if available; if no update exists, consider uninstalling the plugin until a fix is released.
  • Identify all other plugins and themes installed on the site that provide POStionally-Overridden-Object chains; remove or update them to eliminate the necessary chain for exploitation.
  • Restrict the use of the wpt_schema_breadcrumbs shortcode to users with Administrator access, or disable the shortcode entirely if it is not required for site functionality.

Generated by OpenCVE AI on April 20, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32252 The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 - Authenticated (Contributor+) Object Instantiation
Weaknesses CWE-96
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:51.912Z

Reserved: 2025-07-18T17:48:11.499Z

Link: CVE-2025-7825

cve-icon Vulnrichment

Updated: 2025-10-03T13:58:30.269Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:44.820

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses