CVE-2025-48101 HIGH

CVE-2025-48101: WordPress Constant Contact for WordPress Plugin <= 4.1.1 - PHP Object Injection Vulnerability

Vendor Webdevstudios
Product Constant Contact for WordPress
Weakness CWE-502 · Unsafe deserialization
Published September 9, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Constant Contact for WordPress plugin through version 4.1.1 deserializes untrusted data without validation, allowing an attacker to execute arbitrary PHP code on the site. An attacker must trick a site user into clicking a malicious link or visiting a compromised page. This affects all data confidentiality, integrity, and availability on the WordPress installation.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site and take full control of the WordPress installation.

Potential impact on your site

04Site Impact

Complete compromise of the WordPress site, including access to all user data, ability to modify content, and potential malware installation.

Conditions required to exploit

05Prerequisites

Network access and user interaction required; victim must click a link or visit a page controlled by the attacker.

Key dates

06Disclosure timeline

September 9, 2025 CVE published
April 28, 2026 Record updated