CVE-2025-64353 Overview
CVE-2025-64353 is a deserialization of untrusted data vulnerability in the Polylang WordPress plugin by Chouby. The flaw affects all versions of Polylang up to and including 3.7.3 and enables PHP Object Injection. An authenticated attacker with low privileges can submit crafted serialized data over the network to trigger unsafe deserialization. Successful exploitation can lead to arbitrary code execution, data tampering, or denial of service on the affected WordPress installation. The vulnerability maps to [CWE-502: Deserialization of Untrusted Data].
Critical Impact
Authenticated attackers can inject malicious PHP objects to compromise confidentiality, integrity, and availability of WordPress sites running Polylang 3.7.3 or earlier.
Affected Products
- Chouby Polylang plugin for WordPress
- Polylang versions from n/a through 3.7.3
- WordPress sites with the vulnerable Polylang plugin installed and active
Discovery Timeline
- 2025-10-31 - CVE-2025-64353 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64353
Vulnerability Analysis
The vulnerability stems from Polylang processing serialized PHP data from untrusted sources without sufficient validation. When PHP's unserialize() function operates on attacker-controlled input, it instantiates arbitrary classes available within the WordPress runtime. Attackers chain these classes through their magic methods such as __wakeup(), __destruct(), or __toString() to construct POP (Property-Oriented Programming) gadgets. The chained gadgets can execute arbitrary code, read or write files, or manipulate database content within the WordPress environment.
The attack requires network access and low-privilege authentication. No user interaction is needed, and the scope remains unchanged. Impact on confidentiality, integrity, and availability is high.
Root Cause
The root cause is unsafe deserialization of attacker-supplied input within Polylang's request handling logic. The plugin invokes deserialization routines on data that originates from HTTP parameters without enforcing strict type checks, signature validation, or allowlists of permitted classes. This pattern [CWE-502] permits arbitrary object instantiation when PHP gadget chains exist in the application or its dependencies.
Attack Vector
An attacker authenticates to the WordPress instance with a low-privilege account such as Subscriber or Contributor. The attacker then submits a request containing a crafted serialized PHP payload to a Polylang endpoint that performs unserialize() on the input. The deserialization triggers magic methods in chained classes, leading to code execution within the web server process. Refer to the Patchstack WordPress Vulnerability Report for technical details.
Detection Methods for CVE-2025-64353
Indicators of Compromise
- Unexpected outbound network connections from the WordPress web server process following authenticated plugin requests.
- Web server logs showing serialized PHP payloads (strings beginning with O:, a:, or s:) submitted to Polylang endpoints by low-privilege accounts.
- New or modified PHP files in the WordPress installation directory, particularly in wp-content/uploads/ or plugin directories.
- Creation of unauthorized administrator accounts or unexpected changes to wp_options rows.
Detection Strategies
- Inspect HTTP request bodies and query strings for serialized PHP object signatures targeting Polylang URLs or AJAX actions.
- Correlate authenticated session activity with file system writes or process spawning by the PHP-FPM or Apache worker process.
- Monitor WordPress audit logs for anomalous activity from low-privilege accounts interacting with translation or language-switching features.
Monitoring Recommendations
- Enable verbose access logging on the WordPress reverse proxy and forward logs to a centralized analytics platform for query-time inspection.
- Track installed Polylang versions across the estate and alert when version 3.7.3 or earlier remains in production.
- Baseline normal plugin AJAX traffic and alert on requests containing serialized object patterns.
How to Mitigate CVE-2025-64353
Immediate Actions Required
- Update Polylang to a fixed release published after 3.7.3 on every WordPress site in the environment.
- Audit user accounts and revoke any unauthorized administrator or editor roles created since the plugin was installed.
- Review file integrity within wp-content/plugins/polylang/ and the broader WordPress installation for tampering.
- Rotate WordPress secret keys defined in wp-config.php and reset passwords for privileged accounts.
Patch Information
Apply the vendor-supplied patch by upgrading Polylang past version 3.7.3. Refer to the Patchstack WordPress Vulnerability Report for the current fixed release and changelog entries.
Workarounds
- Deactivate and remove the Polylang plugin until the patched version is deployed if the site can operate without multilingual support.
- Restrict registration and reduce default user role privileges to limit who can reach authenticated plugin endpoints.
- Deploy a Web Application Firewall (WAF) rule that blocks requests containing PHP serialized object patterns to WordPress endpoints.
- Disable PHP functions used in common deserialization gadget chains where the application does not require them.
# Configuration example
# Upgrade Polylang via WP-CLI to the patched release
wp plugin update polylang --version=<patched-version>
# Verify installed version after update
wp plugin get polylang --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
