CVE-2025-49895 MEDIUM

CVE-2025-49895: WordPress ServerBuddy by PluginBuddy.com plugin <= 1.0.5 - CSRF to PHP Object Injection vulnerability

Vendor Ithemes
Product ServerBuddy by PluginBuddy.com
Weakness CWE-352 · CSRF
Published August 16, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5.

Explanation of Vulnerability in Simple Terms

02Summary

ServerBuddy by PluginBuddy.com versions up to 1.0.5 contain a cross-site request forgery (CSRF) vulnerability. An authenticated attacker can perform unauthorized actions on behalf of a logged-in administrator without their knowledge or consent. The vulnerability requires the attacker to trick an admin into visiting a malicious page while logged in. No patch version is currently available.

What an attacker can do

03Attacker Capabilities

Perform unauthorized administrative actions on the site without the admin's knowledge.

Potential impact on your site

04Site Impact

An attacker with user access can trick admins into making unwanted configuration or data changes.

Conditions required to exploit

05Prerequisites

Attacker needs a valid user account; victim admin must visit attacker-controlled page while logged in.

Key dates

06Disclosure timeline

August 16, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE