CVE-2025-7504 Overview
CVE-2025-7504 is a PHP Object Injection vulnerability in the Friends plugin for WordPress through version 3.5.1. The flaw resides in the deserialization of untrusted input via the query_vars parameter. Authenticated attackers with subscriber-level access or higher can inject arbitrary PHP objects into the application. The vulnerability is classified under [CWE-502: Deserialization of Untrusted Data].
The Friends plugin itself does not contain a Property-Oriented Programming (POP) chain. Exploitation requires the presence of a POP chain in another installed plugin or theme, plus access to the site's SALT_NONCE and SALT_KEY values.
Critical Impact
When chained with a POP gadget from another plugin or theme, attackers can delete arbitrary files, exfiltrate sensitive data, or execute arbitrary code on the WordPress server.
Affected Products
- Alex Kirk Friends plugin for WordPress, versions up to and including 3.5.1
- WordPress sites with subscriber-level user registration enabled
- WordPress installations where the Friends plugin is installed alongside other plugins or themes containing POP chains
Discovery Timeline
- 2025-07-12 - CVE-2025-7504 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7504
Vulnerability Analysis
The Friends plugin processes the query_vars parameter using PHP's unserialize() function on attacker-controlled input. PHP Object Injection occurs when user-supplied data is passed to deserialization routines without validation. When PHP unserializes a crafted payload, it instantiates objects of arbitrary classes available in the application scope.
The vulnerability requires authentication at the subscriber level, which is the lowest privilege tier in WordPress. Sites permitting open user registration expose this attack surface to any internet user. Exploitation also depends on the attacker obtaining the site's SALT_NONCE and SALT_KEY constants, which are typically defined in wp-config.php.
Root Cause
The root cause is unsafe deserialization of untrusted input within the plugin's query handling logic. The Friends plugin invokes unserialize() on data sourced from the query_vars parameter without first validating or restricting the allowed classes. PHP's native serialization format permits instantiation of any defined class, which makes the deserialization path inherently dangerous when fed attacker-controlled bytes.
Attack Vector
An authenticated attacker submits a crafted serialized payload through the query_vars parameter. The plugin deserializes the payload, instantiating the objects encoded in it and invoking magic methods such as __wakeup() or __destruct() during object lifecycle events. If a POP chain exists in any installed plugin or theme, these magic method invocations can be chained into file deletion, sensitive file reads, or remote code execution.
The vulnerability cannot be exploited in isolation. The attacker must enumerate installed plugins and themes, identify a usable gadget chain, and produce a valid signature using the site's secret salts. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-7504
Indicators of Compromise
- HTTP requests containing serialized PHP payloads in the query_vars parameter, identifiable by patterns such as O:, a:, or s: followed by length and class markers
- Unexpected file deletions, file modifications, or new PHP files in the WordPress directory tree following requests from subscriber accounts
- Outbound network connections from the PHP worker process to attacker-controlled hosts after Friends plugin requests
- Anomalous subscriber account activity, particularly bulk registrations followed by requests targeting Friends plugin endpoints
Detection Strategies
- Inspect web server and WordPress access logs for requests to Friends plugin endpoints containing URL-encoded serialized object patterns
- Monitor PHP error logs for warnings related to unserialize(), missing classes, or __wakeup invocations originating in the Friends plugin code path
- Deploy file integrity monitoring on wp-content/, wp-config.php, and core WordPress directories to identify unauthorized changes
Monitoring Recommendations
- Alert on any new subscriber account that immediately interacts with Friends plugin URLs after registration
- Correlate WordPress audit logs with EDR telemetry from the underlying web server to identify post-exploitation activity such as shell spawning by the PHP-FPM process
- Track outbound DNS and HTTP requests from web servers to flag command-and-control beaconing that follows successful object injection
How to Mitigate CVE-2025-7504
Immediate Actions Required
- Upgrade the Friends plugin to a version newer than 3.5.1 that includes the fix from GitHub Pull Request #537
- Audit installed plugins and themes for known POP chain gadgets and remove or update vulnerable components
- Rotate the SALT_NONCE, SALT_KEY, and all other authentication unique keys in wp-config.php to invalidate any leaked secrets
- Review WordPress user accounts and disable or delete unused subscriber-level accounts
Patch Information
The maintainer addressed the vulnerability in the Friends plugin repository. Review the upstream fix in the WordPress Plugin Changeset and the corresponding GitHub Pull Request. Install the patched plugin version from the official WordPress Friends Plugin page.
Workarounds
- Disable open user registration on the WordPress site to reduce the pool of attackers able to reach the vulnerable code path
- Deactivate the Friends plugin until the patched version can be installed and tested
- Restrict access to plugin endpoints using a web application firewall rule that blocks serialized PHP patterns in the query_vars parameter
- Ensure wp-config.php permissions prevent unauthorized reads of the SALT_NONCE and SALT_KEY constants
# Example WordPress salt rotation - generate new keys and update wp-config.php
curl -s https://api.wordpress.org/secret-key/1.1/salt/
# Replace the existing AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY,
# NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT
# values in wp-config.php with the freshly generated output.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

