CVE-2025-7504

Name of the Vulnerable Software and Affected Versions: Friends plugin for WordPress version 3.5.1

Description: The Friends plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input of the query vars parameter. This allows authenticated attackers with subscriber-level access or higher to inject a PHP Object. The vulnerability has no impact unless another plugin or theme containing a PHP Object Payload (POP) chain is installed on the site. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code. Exploitation requires access to the site's SALT NONCE and SALT KEY.

Recommendations: Update to a newer version of the Friends plugin for WordPress that addresses this issue.