CVE-2025-0855: 
WordPress vulnerability analysis and mitigation

The PGS Core plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2025-0855) discovered in all versions up to and including 5.8.0. The vulnerability exists in the 'import_header' function where untrusted input can be deserialized, allowing unauthenticated attackers to inject PHP Objects (NVD).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, the vulnerability could be exploited if a POP chain exists via additional plugins or themes installed on the target system (NVD).

If successfully exploited through an additional plugin or theme that provides a POP chain, this vulnerability could allow attackers to delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the affected system (NVD).

The vulnerability has been addressed in version 4.19.120 of the PGS Core plugin, released in February 2025. Users are advised to update to this version which includes security fixes to prevent PHP Object Injection (PGS Changelog).