CVE-2025-0855 is a critical deserialization vulnerability classified under CWE-502 affecting the PGS Core plugin for WordPress, versions up to and including 5.8.0. The vulnerability stems from the 'import_header' function which deserializes untrusted user input without proper validation or sanitization, enabling PHP Object Injection. This flaw allows unauthenticated remote attackers to craft malicious serialized objects that, when deserialized by the plugin, can manipulate program flow or data structures. Although the plugin itself lacks a built-in Property Oriented Programming (POP) chain necessary for full exploitation, the presence of other plugins or themes that provide POP gadgets can enable attackers to leverage this injection to perform destructive actions such as arbitrary file deletion, sensitive data extraction, or remote code execution. The vulnerability is remotely exploitable over the network without any authentication or user interaction, making it highly dangerous. The CVSS 3.1 base score of 9.8 reflects the criticality of this issue, with high impact on confidentiality, integrity, and availability. No official patches or fixes are currently linked, emphasizing the need for immediate attention and mitigation by site administrators. The vulnerability was publicly disclosed on May 6, 2025, and is tracked by CISA as enriched intelligence, highlighting its significance in the cybersecurity community.

The impact of CVE-2025-0855 is severe for organizations using the PGS Core WordPress plugin. Exploitation can lead to complete compromise of affected websites, including unauthorized access to sensitive data, deletion or modification of critical files, and execution of arbitrary code on the server. This can result in website defacement, data breaches, service disruption, and potential pivoting into internal networks. Given WordPress's extensive use globally, especially among small to medium businesses, e-commerce sites, and content providers, the vulnerability poses a widespread risk. Attackers can exploit this flaw remotely without authentication, increasing the likelihood of automated mass exploitation campaigns. The absence of a direct POP chain in the plugin means exploitation depends on the presence of other vulnerable components, but many WordPress environments have multiple plugins and themes installed, raising the practical risk. Organizations may face reputational damage, regulatory penalties, and operational downtime if exploited. The vulnerability also provides an entry point for advanced persistent threats targeting high-value WordPress deployments.

To mitigate CVE-2025-0855, organizations should immediately update the PGS Core plugin to a patched version once available. Until a patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious serialized PHP payloads targeting the 'import_header' function can provide temporary protection. Conduct a thorough audit of all installed plugins and themes to identify and remove or update components that may provide POP chains, reducing the risk of exploitation. Employ strict input validation and sanitization on any user-supplied data, especially where deserialization occurs. Monitoring web server and application logs for unusual deserialization attempts or errors can help detect exploitation attempts early. Additionally, restricting file system permissions to limit the plugin's ability to modify or delete files can reduce impact. Organizations should also maintain regular backups and have an incident response plan ready in case of compromise. Finally, stay informed through vendor advisories and security communities for updates and patches.