CVE-2025-22510: 
WordPress vulnerability analysis and mitigation

The WC Price History for Omnibus plugin for WordPress contains a Deserialization of Untrusted Data vulnerability (CVE-2025-22510) that allows Object Injection. This vulnerability affects versions up to and including 2.1.4 of the plugin. The issue was discovered by Webula and publicly disclosed on January 7, 2025 (WPScan, Patchstack).

The vulnerability is classified as a PHP Object Injection issue that occurs through deserialization of untrusted input. It has been assigned a CVSS score of 7.2 (High) and requires authentication with shop manager-level access or above to exploit. No known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, though additional plugins or themes could potentially provide one (WPScan).

If exploited successfully, and if a POP chain is present via additional plugins or themes on the target system, this vulnerability could allow authenticated attackers to perform various malicious actions including deletion of arbitrary files, retrieval of sensitive data, or execution of arbitrary code (WPScan).

The vulnerability has been patched in version 2.1.5 of the WC Price History for Omnibus plugin. Users are advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack).