Home

Description

The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-12 | Updated 2025-12-15 | Assigner Wordfence




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-12-11:Disclosed

Credits

Ivan Cese finder

References

www.wordfence.com/...-96fb-4c1f-989c-cc07965b5266?source=cve

plugins.trac.wordpress.org/...logic-pro/trunk/logic-lite.php

plugins.trac.wordpress.org/...-pro/tags/1.0.3/logic-lite.php

cve.org (CVE-2025-14044)

nvd.nist.gov (CVE-2025-14044)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.