PT-2025-46786

Name of the Vulnerable Software and Affected Versions AI Engine versions prior to 3.1.9 Description The AI Engine plugin for WordPress is susceptible to PHP Object Injection through PHAR Deserialization. This occurs due to the deserialization of untrusted input within the rest simpleTranscribeAud...

WordPress Academy LMS plugin <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses' vulnerability

Authenticated Administrator+ PHP Object Injection via 'importallcourses' vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin Academy LMS versions = 3.3.8...

CVE-2025-12099

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of untrusted input in the 'importallcourses' function. This makes it possible for authenticated...

WordPress Email Subscribers & Newsletters plugin <= 5.9.10 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Email Subscribers & Newsletters versions = 5.9.10...

EUVD-2025-38367

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of untrusted input in the 'importallcourses' function. This makes it possible for authenticated...

CVE-2025-12099

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of untrusted input in the 'importallcourses' function. This makes it possible for authenticated...

CVE-2025-12099

CVE-2025-12099 affects the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution, with versions ≤ 3.3.8 vulnerable to PHP Object Injection via deserialization in import_all_courses. An authenticated attacker with Administrator+ rights can inject a PHP Object; impact depends on whethe...

CVE-2025-62035 WordPress Togo theme < 1.0.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in uxper Togo togo.This issue affects Togo: from n/a through 1.0.4...

CVE-2025-58619

CVE-2025-58619 concerns Falang multilanguage for WordPress (versions

CVE-2025-49393

CVE-2025-49393 (WordPress Sign-up Sheets plugin) exhibits Deserialization of Untrusted Data leading to PHP Object Injection in Sign-up Sheets

CVE-2025-49386 WordPress Preserve Code Formatting Plugin <= 4.0.1 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Scott Reilly Preserve Code Formatting preserve-code-formatting allows Object Injection.This issue affects Preserve Code Formatting: from n/a through = 4.0.1...

CVE-2025-49386

CVE-2025-49386 : A deserialization-based PHP Object Injection vulnerability affects the WordPress plugin Preserve Code Formatting up to version 4.0.1. The issue arises from deserializing untrusted data, enabling object injection. The CVE entries consistently describe this as a vulnerability in th...

WordPress Everest Forms Pro plugin <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature vulnerability

Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature vulnerability discovered by Alex Thomas - Wordfence in WordPress Plugin Everest Forms Pro versions = 1.9.7...

PT-2025-45066

Name of the Vulnerable Software and Affected Versions Everest Forms Pro versions up to and including 1.9.7 Description The Everest Forms Pro plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the mime content type function. This allows...

WordPress Jannah theme <= 7.6.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Jannah versions = 7.6.0...

EUVD-2025-36574

WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization PHP Object Injection. The weakness arises due to insufficient validation of user input in plugin endpoints, allowing...

CVE-2025-4665

WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization PHP Object Injection. The weakness arises due to insufficient validation of user input in plugin endpoints, allowing...

CVE-2025-4665

Summary: WordPress plugin Contact Form CFDB7, affected versions up to 1.3.2, suffers a pre-authentication SQL injection that cascades into insecure deserialization (PHP Object Injection). Root cause: insufficient input validation in plugin endpoints allows crafted payloads to influence backend qu...

CVE-2025-4665

WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization PHP Object Injection. The weakness arises due to insufficient validation of user input in plugin endpoints, allowing...

CVE-2025-34292

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize: the POST parameter formkitmemoryrecovery in \RoxPostHandler::getCallbackAction and the 'memory cookie' read by...