CVE-2025-47536: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability was discovered in the WordPress Content Egg plugin, identified as CVE-2025-47536. The vulnerability affects Content Egg versions up to 7.0.0 and allows for Object Injection. The issue was initially reported on April 29, 2025, and was publicly disclosed on July 30, 2025 (Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Editor or higher privileges to exploit (Patchstack).

The PHP Object Injection vulnerability could potentially allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The specific impact may vary depending on the implementation and environment (Patchstack).

The vulnerability has been fixed in Content Egg version 8.0.0. Users are advised to update to version 8.0.0 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).