CVE-2024-2025 Overview
CVE-2024-2025 is a PHP Object Injection vulnerability in the "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress. The flaw affects all versions up to and including 3.4.20. The vulnerability resides in the get_simple_request function, which deserializes untrusted input without validation [CWE-502]. Authenticated attackers with subscriber-level access or higher can inject a PHP object into the application. When a suitable Property-Oriented Programming (POP) chain exists through another installed plugin or theme, attackers can delete arbitrary files, exfiltrate sensitive data, or execute code. CVE-2024-32603 is likely a duplicate of this issue.
Critical Impact
Authenticated subscribers can trigger PHP Object Injection in get_simple_request, enabling arbitrary file deletion, data disclosure, or code execution when a POP chain is present.
Affected Products
- BuddyPress WooCommerce My Account Integration plugin for WordPress
- All versions up to and including 3.4.20
- WordPress sites with subscriber-level registration enabled
Discovery Timeline
- 2024-03-23 - CVE-2024-2025 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-2025
Vulnerability Analysis
The vulnerability is an insecure deserialization flaw classified under [CWE-502]. The plugin's get_simple_request function calls PHP's unserialize() on attacker-controlled input received through HTTP requests. PHP's unserialize() reconstructs arbitrary object instances from serialized strings, invoking magic methods such as __wakeup, __destruct, and __toString during the process.
Exploitation requires only subscriber-level authentication, which is trivial to obtain on WordPress sites with open registration. The injected object alone does not guarantee compromise. The attacker needs a POP gadget chain provided by another plugin, theme, or the WordPress core to reach a useful sink. Common sinks reached through these chains include file deletion primitives, file read operations, and dynamic method dispatch leading to remote code execution.
The EPSS probability is 0.836% (74.84 percentile), indicating moderate observed exploitation interest relative to other CVEs.
Root Cause
The plugin passes user-controlled request data directly to unserialize() inside get_simple_request without verifying the type or origin of the payload. This violates the principle that serialized PHP objects from untrusted sources must never be deserialized. Refer to the WordPress Change Log Entry for the corrected handler.
Attack Vector
An authenticated attacker submits a crafted serialized PHP object through a request parameter consumed by get_simple_request. The plugin deserializes the payload, instantiating attacker-defined objects with attacker-controlled properties. When magic methods fire during object lifecycle events, they execute the gadget chain. Outcomes depend on installed plugins and themes but include arbitrary file deletion, sensitive file read, and code execution. See the Wordfence Vulnerability Report for detection signatures.
No verified public proof-of-concept code is available. The vulnerability mechanism is documented in the patch diff linked above, which replaces the unsafe deserialization with safe request parsing.
Detection Methods for CVE-2024-2025
Indicators of Compromise
- HTTP request parameters containing serialized PHP object signatures such as O: or a: patterns sent to plugin endpoints
- Unexpected file deletions or modifications under wp-content/ and adjacent directories
- PHP error log entries referencing __wakeup, __destruct, or unserialize warnings tied to plugin paths
- New administrative users or modified wp_options entries following subscriber-account activity
Detection Strategies
- Inspect web server logs for POST or GET requests to wc4bp plugin endpoints containing serialized object markers
- Audit installed plugin versions and flag any wc4bp instance at or below 3.4.20
- Correlate subscriber-level authenticated sessions with file system change events on the WordPress host
Monitoring Recommendations
- Enable WordPress audit logging for plugin file changes, user role modifications, and option updates
- Forward web application firewall (WAF) and PHP error logs to a centralized analytics platform for query and alerting
- Monitor for unusual outbound connections from the web server process following subscriber logins
How to Mitigate CVE-2024-2025
Immediate Actions Required
- Update the BuddyPress WooCommerce My Account Integration plugin to a version above 3.4.20
- Disable or remove the plugin if an update cannot be applied immediately
- Audit all installed plugins and themes for known POP gadget chains and update them
- Review existing subscriber accounts and remove suspicious or unused registrations
Patch Information
The vendor addressed the issue in the changeset published at plugins.trac.wordpress.org changeset 3055634. The fix removes the call to unserialize() on untrusted input inside get_simple_request and replaces it with safe parsing of request parameters.
Workarounds
- Restrict new user registration on the WordPress site until the patch is applied
- Deploy WAF rules that block requests containing PHP serialized object patterns to plugin endpoints
- Apply least-privilege file system permissions so the web server account cannot delete or modify critical files
# Update the vulnerable plugin via WP-CLI
wp plugin update bp-woocommerce --version=3.4.21
wp plugin list --name=bp-woocommerce --fields=name,version,status
# Temporarily deactivate while patching
wp plugin deactivate bp-woocommerce
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
