CVE-2025-7504 is a high-severity vulnerability affecting version 3.5.1 of the Friends plugin for WordPress, developed by akirk. The vulnerability arises from improper handling of deserialization of untrusted data, specifically through the query_vars parameter. This flaw enables PHP Object Injection (CWE-502), where an authenticated attacker with subscriber-level access or higher can inject malicious PHP objects. However, the vulnerability alone does not directly lead to exploitation because no known Property Oriented Programming (POP) chain exists within the Friends plugin itself. A POP chain is necessary to leverage the injected object to perform malicious actions such as arbitrary file deletion, data exfiltration, or remote code execution. The presence of a POP chain depends on additional plugins or themes installed on the WordPress site. Furthermore, exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values, which are secret keys used by WordPress for security purposes. The CVSS v3.1 base score is 7.5, indicating a high severity, with attack vector network (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently observed in the wild, and no patches have been published yet. This vulnerability highlights the risks of insecure deserialization in PHP applications, especially in extensible platforms like WordPress where multiple plugins and themes interact, potentially enabling complex exploitation chains.

For European organizations using WordPress with the Friends plugin version 3.5.1, this vulnerability poses a significant risk, especially for websites that allow subscriber-level users to interact with query parameters. If additional plugins or themes containing exploitable POP chains are installed, attackers could leverage this vulnerability to compromise website integrity, confidentiality, and availability. Potential impacts include unauthorized deletion of files, exposure of sensitive data, or even remote code execution leading to full site takeover. This could result in data breaches, defacement, service disruption, and reputational damage. Given the widespread use of WordPress across Europe in sectors such as e-commerce, media, education, and government, the vulnerability could affect a broad range of organizations. The requirement for knowledge of SALT_NONCE and SALT_KEY adds a layer of difficulty but does not eliminate risk, as attackers may obtain these secrets through other vulnerabilities or insider threats. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation. Organizations with complex WordPress environments that include multiple plugins and themes are at higher risk due to the potential presence of POP chains.

1. Immediate mitigation should include upgrading the Friends plugin to a patched version once available. Until then, consider disabling or removing the Friends plugin if it is not critical. 2. Restrict subscriber-level users' ability to manipulate query_vars parameters or limit their access to the affected functionality. 3. Audit all installed plugins and themes for known POP chains or insecure deserialization vulnerabilities to reduce the risk of chained exploitation. 4. Rotate WordPress SALT_NONCE and SALT_KEY values to invalidate any previously obtained secrets, and ensure these keys are securely stored and not exposed. 5. Implement Web Application Firewall (WAF) rules to detect and block suspicious deserialization payloads or abnormal query parameter usage. 6. Monitor logs for unusual activity related to query_vars parameters and subscriber user actions. 7. Conduct regular security assessments and penetration tests focusing on plugin interactions and deserialization risks. 8. Educate site administrators and developers about the risks of insecure deserialization and the importance of secure coding practices in plugin development.