CVE-2025-47532: 
WordPress vulnerability analysis and mitigation

A critical Deserialization of Untrusted Data vulnerability (CVE-2025-47532) was discovered in CoinPayments.net Payment Gateway for WooCommerce plugin versions through 1.0.17. The vulnerability was reported by researcher timomangcut on April 27, 2025, and was publicly disclosed on May 7, 2025. This security flaw allows for PHP Object Injection in the WordPress plugin (Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a Critical CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The high severity score indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD, Patchstack).

The vulnerability could allow malicious actors to execute various attacks including code injection, SQL injection, path traversal, and denial of service if a proper POP chain is present. The unauthenticated nature of the vulnerability makes it particularly dangerous and is expected to become mass exploited (Patchstack).

Users are strongly advised to update to version 1.0.18 or later of the CoinPayments.net Payment Gateway for WooCommerce plugin to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).