CVE-2025-47530: 
WordPress vulnerability analysis and mitigation

A critical Deserialization of Untrusted Data vulnerability (CVE-2025-47530) was discovered in WPFunnels WordPress plugin versions through 3.5.18. The vulnerability was reported by researcher timomangcut and publicly disclosed on May 12, 2025. This unauthenticated PHP Object Injection vulnerability affects all versions of WPFunnels up to and including version 3.5.18 (Wiz, Patchstack).

The vulnerability has been assigned a Critical CVSS v3.1 score of 9.8, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-502 (Deserialization of Untrusted Data) and allows for PHP Object Injection in the WPFunnels plugin (NVD, Patchstack).

The vulnerability is considered highly dangerous and expected to become mass exploited. If a proper POP chain is present, it could allow malicious actors to execute code injection, SQL injection, path traversal, and denial of service attacks (Patchstack).

Users are strongly advised to update to WPFunnels version 3.5.19 or later, which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).