{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14044", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T16:15:55.591Z", "datePublished": "2025-12-12T03:20:46.867Z", "dateUpdated": "2026-04-08T16:56:43.388Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:43.388Z"}, "affected": [{"vendor": "rodgerholl", "product": "Visitor Logic Lite", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site."}], "title": "Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60fb6928-96fb-4c1f-989c-cc07965b5266?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/logic-pro/trunk/logic-lite.php#L131"}, {"url": "https://plugins.trac.wordpress.org/browser/logic-pro/tags/1.0.3/logic-lite.php#L131"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-12-11T14:22:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T17:53:06.020056Z", "id": "CVE-2025-14044", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:15:21.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14044", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-15T17:53:06.020056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T17:53:55.608Z"}}], "cna": {"title": "Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "rodgerholl", "product": "Visitor Logic Lite", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:22:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60fb6928-96fb-4c1f-989c-cc07965b5266?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/logic-pro/trunk/logic-lite.php#L131"}, {"url": "https://plugins.trac.wordpress.org/browser/logic-pro/tags/1.0.3/logic-lite.php#L131"}], "descriptions": [{"lang": "en", "value": "The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:43.388Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14044", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:56:43.388Z", "dateReserved": "2025-12-04T16:15:55.591Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:46.867Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site."}], "id": "CVE-2025-14044", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:46.380", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/logic-pro/tags/1.0.3/logic-lite.php#L131"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/logic-pro/trunk/logic-lite.php#L131"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60fb6928-96fb-4c1f-989c-cc07965b5266?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:29:51.398753+00:00", "value": {"mitigation_remediation": ["Upgrade Visitor Logic Lite to the latest version, 1.0.4 or newer, which removes the unsanitized unserialize call.", "If an upgrade is impossible, either disable the plugin or block the lpblocks cookie from being sent by the browser to prevent object injection.", "In a broader strategy, audit other installed plugins and themes for classes that could be instantiated via deserialization and apply patches or mitigations to those components as well."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated PHP Object Injection capable of escalating to remote code execution if a privilege\u2011oriented pop\u2011of\u2011plant chain exists"}, "threat_synthesis": {"affected_systems": "All releases of Visitor Logic Lite up to and including version 1.0.3 from the vendor rodgerholl are affected. No specific version ranges beyond the stated limit are listed, and the issue applies to every installation of the plugin prior to 1.0.4.", "description_and_impact": "The vulnerability lies in the Visitor Logic Lite plugin for WordPress, which deserializes data from the lpblocks cookie without validation. This PHP Object Injection flaw, identified as CWE\u2011502, allows an unauthenticated attacker to inject any PHP object into the application. While no exploitation chain is built into the plugin itself, the injected object could be used in conjunction with a vulnerable class from another plugin or theme to delete files, read sensitive data or execute arbitrary code, assuming the attacker can reach the site\u2019s HTTP interface.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity, yet the EPSS score is below 1%, suggesting a low probability of exploitation at any given time. The vulnerability is not present in the CISA KEV catalog, which reduces perceived urgency. The likely attack vector is through manipulation of the lpblocks cookie by any user who can visit a URL under the site domain. In isolation, the flaw cannot be exploited; however, if the target environment hosts any additional plugin or theme that contains a vulnerable class that can be instantiated by the attacker, the consequences can range from file deletion and data exfiltration to full code execution."}}}}, "created": "2025-12-12T08:47:46.211073+00:00", "updated": "2026-04-21T17:30:37.705277+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}