CVE-2025-22510

HIGH

WC Price History for Omnibus <2.1.4 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-22510. PoCs published by DoTTak.

AI-analyzed exploit summary This PoC demonstrates a PHP Object Injection vulnerability in the WC Price History for Omnibus WordPress plugin (version <= 2.1.4). It exploits the deserialization of user-controlled JSON data in the 'serialized' key, allowing attackers with Shop Manager privileges to inject malicious PHP objects.

Description

Deserialization of Untrusted Data vulnerability in kkarpieszuk WC Price History for Omnibus wc-price-history allows Object Injection.This issue affects WC Price History for Omnibus: from n/a through <= 2.1.4.

Exploits (1)

nomisec WORKING POC
by DoTTak · poc
https://github.com/DoTTak/CVE-2025-22510

This PoC demonstrates a PHP Object Injection vulnerability in the WC Price History for Omnibus WordPress plugin (version <= 2.1.4). It exploits the deserialization of user-controlled JSON data in the 'serialized' key, allowing attackers with Shop Manager privileges to inject malicious PHP objects.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: WC Price History for Omnibus WordPress plugin <= 2.1.4
Auth required
Prerequisites: WordPress site with WC Price History for Omnibus plugin <= 2.1.4 · WooCommerce plugin installed and activated · Shop Manager privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.2
EPSS 0.0118
EPSS Percentile 63.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (2)
kkarpieszuk/WC Price History for Omnibus < 2.1.4
Konrad Karpieszuk/WC Price History for Omnibus < 2.1.4
Published Jan 09, 2025
Tracked Since Feb 18, 2026