CVE-2025-52740
Published: 22 October 2025
Summary
CVE-2025-52740 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-52740 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Boldermail WordPress plugin developed by Hernan Villanueva, enabling PHP Object Injection. The issue affects Boldermail versions from n/a through 2.4.0 inclusive. Published on 2025-10-22, it carries a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited remotely over the network by an attacker with low privileges, such as an authenticated user, requiring low complexity and no user interaction. Successful exploitation allows the attacker to achieve high confidentiality, integrity, and availability impacts, potentially leading to full system compromise through object injection.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/boldermail/vulnerability/wordpress-boldermail-plugin-2-4-0-php-object-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35491
Vulnerability details
Deserialization of Untrusted Data vulnerability in Hernan Villanueva Boldermail boldermail allows Object Injection.This issue affects Boldermail: from n/a through <= 2.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a network-accessible deserialization flaw (CWE-502) in a WordPress plugin exploitable by low-privileged users, directly enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation patches the deserialization of untrusted data vulnerability in Boldermail <=2.4.0, directly preventing PHP object injection exploitation.
Information input validation rejects or sanitizes untrusted serialized data before deserialization, blocking malicious object injection in the Boldermail plugin.
Vulnerability scanning identifies the Boldermail plugin vulnerability (CVE-2025-52740), enabling detection and prioritized remediation.