CVE-2025-7504 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the Friends plugin for WordPress, specifically version 3.5.1. The flaw arises from unsafe deserialization of the query_vars parameter, which allows authenticated users with subscriber-level privileges or higher to inject crafted PHP objects. This PHP Object Injection vulnerability can lead to serious consequences if a suitable POP (Property Oriented Programming) gadget chain exists within the WordPress environment, typically provided by other plugins or themes. The absence of a POP chain in the Friends plugin itself means the vulnerability is not directly exploitable unless combined with other vulnerable components. Successful exploitation requires knowledge of the WordPress SALT_NONCE and SALT_KEY, which are secret keys used for security purposes. If exploited, attackers could perform destructive actions such as arbitrary file deletion, sensitive data exfiltration, or remote code execution, depending on the capabilities of the POP chain. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with network attack vector, high attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the risk remains significant due to the potential damage if combined with other vulnerable components.

The impact of CVE-2025-7504 can be severe for organizations running WordPress sites with the vulnerable Friends plugin version 3.5.1, especially if other plugins or themes containing exploitable POP chains are installed. Attackers with subscriber-level access could leverage this vulnerability to escalate privileges and execute arbitrary code, delete critical files, or steal sensitive information. This could lead to website defacement, data breaches, service disruption, or full site compromise. The requirement for access to SALT_NONCE and SALT_KEY adds a layer of difficulty but does not eliminate risk, as these keys may be accessible through other vulnerabilities or insider threats. Organizations relying on WordPress for business-critical operations, e-commerce, or handling sensitive user data face reputational damage, regulatory penalties, and operational downtime if exploited. The vulnerability's network attack vector and no user interaction needed make it a potent threat in multi-tenant hosting environments or sites with many users.

To mitigate CVE-2025-7504, organizations should: 1) Immediately update or patch the Friends plugin once a fix is available; if no patch exists, consider disabling or removing the plugin. 2) Audit all installed plugins and themes for known POP chains or unsafe deserialization vulnerabilities and update or remove vulnerable components. 3) Restrict subscriber-level user privileges and monitor for unusual activity to limit attacker access. 4) Secure WordPress SALT_NONCE and SALT_KEY by rotating these keys periodically and ensuring they are not exposed in backups, logs, or error messages. 5) Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious deserialization payloads targeting query_vars parameters. 6) Employ intrusion detection systems to monitor for exploitation attempts. 7) Harden WordPress installations by following best practices such as disabling PHP execution in upload directories and limiting plugin usage to trusted sources. 8) Conduct regular security assessments and penetration testing to identify chained vulnerabilities that could enable exploitation.