CVE-2025-49386
📋 TL;DR
CVE-2025-49386 is a PHP object injection vulnerability in the WordPress Preserve Code Formatting plugin that allows attackers to execute arbitrary code through deserialization of untrusted data. This affects all WordPress sites using the plugin version 4.0.1 or earlier. Successful exploitation could lead to complete site compromise.
💻 Affected Systems
- WordPress Preserve Code Formatting plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, malware installation, and lateral movement within the network.
Likely Case
Website defacement, data exfiltration, backdoor installation, and privilege escalation on the WordPress instance.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though deserialization vulnerabilities remain dangerous.
🎯 Exploit Status
Deserialization vulnerabilities in WordPress plugins are frequently weaponized. The CVSS 9.8 score indicates trivial exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Preserve Code Formatting' and click 'Update Now'. 4. Verify version is 4.0.2 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate preserve-code-formatting
Remove Plugin Files
linuxCompletely remove the plugin files from the server
rm -rf /path/to/wordpress/wp-content/plugins/preserve-code-formatting/
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block deserialization attempts
- Restrict access to affected WordPress instances using IP whitelisting
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Preserve Code Formatting → Version. If version is 4.0.1 or lower, you are vulnerable.Check Version:
wp plugin get preserve-code-formatting --field=versionVerify Fix Applied:
After updating, verify version shows 4.0.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or admin-post.php
- PHP serialized data in request parameters
- Unexpected file creation in wp-content/uploads
Network Indicators:
- HTTP requests containing serialized PHP objects (O: or a: patterns)
- Traffic to known exploit servers from WordPress instances
SIEM Query:
source="wordpress.log" AND ("preserve-code-formatting" OR "admin-ajax.php") AND ("O:" OR "a:" OR "s:" OR "i:")