What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Object Injection.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.11.
CVE-2025-54007
HIGH
CVE-2025-54007: WordPress Post Grid and Gutenberg Blocks Plugin <= 2.3.11 - PHP Object Injection Vulnerability
CVSS base score
8.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Explanation of Vulnerability in Simple Terms
02Summary
Post Grid and Gutenberg Blocks versions up to 2.3.11 contain a deserialization vulnerability that allows authenticated users to execute arbitrary code on the site. An attacker with low-level WordPress access can craft malicious serialized data to trigger code execution. This affects all installations running the vulnerable versions.
What an attacker can do
03Attacker Capabilities
Run their own PHP code on the site and take full control of it.
Potential impact on your site
04Site Impact
Any authenticated user can compromise your entire site, steal data, or inject malware.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level WordPress user account (subscriber or higher).
Key dates
06Disclosure timeline
August 20, 2025
CVE published
May 13, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2021-35216 Deserialization of Untrusted Data in Resource Controls Remote Code Execution
CVE-2025-49837 GHSL-2025-049: GPT-SoVITS Deserialization of Untrusted Data vulnerability
CVE-2021-37578 Remote code execution via RMI
CVE-2025-22526 WordPress PHP/MySQL CPU performance statistics Plugin <= 1.2.1 - PHP Object Injection vulnerability
CVE-2025-2043 LinZhaoguan pb-cms Add New Topic admin#themes deserialization
