WordPress · Friends Plugin For Wordpress · CVE-2025-7504
Name of the Vulnerable Software and Affected Versions:
Friends plugin for WordPress version 3.5.1
Description:
The Friends plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input of the `query vars` parameter. This allows authenticated attackers with subscriber-level access or higher to inject a PHP Object. The vulnerability has no impact unless another plugin or theme containing a PHP Object Payload (POP) chain is installed on the site. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code. Exploitation requires access to the site's `SALT NONCE` and `SALT KEY`.
Recommendations:
Update to a newer version of the Friends plugin for WordPress that addresses this issue.