CVE-2025-39527 HIGH

CVE-2025-39527: WordPress Rating by BestWebSoft plugin <= 1.7 - PHP Object Injection Vulnerability

Vendor Bestweblayout
Product Rating by BestWebSoft
Weakness CWE-502 · Unsafe deserialization
Published April 17, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in bestweblayout Rating by BestWebSoft rating-bws allows Object Injection.This issue affects Rating by BestWebSoft: from n/a through <= 1.7.

Explanation of Vulnerability in Simple Terms

02Summary

The Rating by BestWebSoft plugin for WordPress contains a deserialization vulnerability in versions 1.7 and earlier. An authenticated attacker with low privileges can send a specially crafted request to deserialize untrusted data, leading to remote code execution. This allows the attacker to run their own PHP code on the site with full control over data and functionality.

What an attacker can do

03Attacker Capabilities

Run their own code on the site, read/modify any data, and take full control of the WordPress installation.

Potential impact on your site

04Site Impact

Any user with a low-privilege account can compromise the entire site. Immediate patching and account audit required.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

April 17, 2025 CVE published
April 28, 2026 Record updated