PT-2025-52575 · WordPress · Live Composer – Free Wordpress Website Builder
Athiwat Tiprasaharn
·
Published
2025-12-21
·
Updated
2025-12-26
·
CVE-2025-14071
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Live Composer – Free WordPress Website Builder plugin versions prior to 2.0.3
Description
The Live Composer – Free WordPress Website Builder plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the
dslc module posts output shortcode. This allows authenticated attackers with Contributor-level access or higher to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code.Recommendations
Update Live Composer – Free WordPress Website Builder plugin to version 2.0.3 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Live Composer – Free Wordpress Website Builder