CVE-2025-68853 HIGH

CVE-2025-68853: WordPress Contact Manager plugin <= 9.1.1 - PHP Object Injection vulnerability

Vendor Kleor
Product Contact Manager
Weakness CWE-502 · Unsafe deserialization
Published February 20, 2026
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1.

Explanation of Vulnerability in Simple Terms

02Summary

Kleor Contact Manager versions up to 9.1.1 contain a deserialization vulnerability that allows attackers to execute arbitrary code on the site. An attacker can craft a malicious serialized object that, when processed by the application, runs their own code with full site privileges. The vulnerability requires user interaction—typically a victim must click a link or visit a page—but does not require authentication.

What an attacker can do

03Attacker Capabilities

Run their own code on the site with full privileges, read/modify/delete data, and compromise user accounts.

Potential impact on your site

04Site Impact

Complete site compromise: attackers can steal data, modify content, create admin accounts, or take the site offline.

Conditions required to exploit

05Prerequisites

Network access and user interaction (victim must click a link or visit a page).

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated