CVE-2025-14044

Name of the Vulnerable Software and Affected Versions Visitor Logic Lite plugin for WordPress versions up to and including 1.0.3

Description The Visitor Logic Lite plugin for WordPress is susceptible to PHP Object Injection due to the deserialization of untrusted input from the lpblocks cookie. The lp track() function passes unsanitized cookie data directly to the unserialize() function, allowing potential attackers to inject a PHP Object. While no known POP chain exists within the vulnerable software itself, the presence of a POP chain via an additional plugin or theme could allow attackers to delete arbitrary files, retrieve sensitive data, or execute code, provided they have access to the WordPress site.

Recommendations Update the Visitor Logic Lite plugin to a version beyond 1.0.3.