CVE-2025-14071
📋 TL;DR
The Live Composer WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the dslc_module_posts_output shortcode. This allows authenticated attackers with Contributor-level access or higher to inject PHP objects, but exploitation requires a separate plugin or theme containing a POP chain. Without a POP chain, the vulnerability has no direct impact.
💻 Affected Systems
- Live Composer – Free WordPress Website Builder
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could execute arbitrary code, delete files, or steal sensitive data leading to complete site compromise.
Likely Case
Limited impact since no POP chain exists in the vulnerable plugin itself; exploitation requires specific additional vulnerable components.
If Mitigated
With proper access controls and no vulnerable POP chains present, the vulnerability has minimal to no impact.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor role or higher) and a separate POP chain from another plugin or theme.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.0.2
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3419715/live-composer-page-builder/trunk/modules/posts/module.php
Restart Required: No
Instructions:
1. Update the Live Composer plugin to the latest version via WordPress admin panel. 2. Verify the update to version after 2.0.2. 3. No server restart required.
🔧 Temporary Workarounds
Remove vulnerable shortcode
allDisable or remove the dslc_module_posts_output shortcode functionality
Edit WordPress theme/plugin files to remove or disable calls to dslc_module_posts_output
Restrict user roles
allLimit Contributor-level access to trusted users only
Use WordPress role management plugins to restrict Contributor role assignments
🧯 If You Can't Patch
- Disable the Live Composer plugin entirely until patched
- Implement strict access controls and monitor for suspicious Contributor-level activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for Live Composer plugin version. If version is 2.0.2 or lower, the system is vulnerable.Check Version:
wp plugin list --name='Live Composer' --field=version (if WP-CLI installed) or check WordPress admin panelVerify Fix Applied:
Verify the plugin version is higher than 2.0.2 after updating.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress containing serialized data
- Suspicious activity from Contributor-level accounts
Network Indicators:
- HTTP requests with serialized PHP objects in parameters
SIEM Query:
source="wordpress" AND (uri_path="*dslc_module_posts_output*" OR post_data="*O:*")🔗 References
- https://github.com/live-composer/live-composer-page-builder/commit/2b0b430ab107eb6cb72196251e429a695c11e41b
- https://plugins.trac.wordpress.org/browser/live-composer-page-builder/tags/1.5.53/modules/posts/module.php#L2807
- https://plugins.trac.wordpress.org/browser/live-composer-page-builder/trunk/modules/posts/module.php#L2807
- https://plugins.trac.wordpress.org/changeset/3419715/live-composer-page-builder/trunk/modules/posts/module.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4b15c991-5256-405c-8382-85dba6f032ba?source=cve
- https://github.com/live-composer/live-composer-page-builder/commit/17176e259878b450f9feaabbf42522b0e360ff96
