SEOPress < 6.5.0.3 - Admin+ PHP Object Injection

An attacker with admin-level privileges navigates to the SEOPress plugin settings page and injects a crafted serialized PHP payload into a settings field that the plugin unserializes without validation [ref_id=1]. When the plugin processes the saved settings, the unserialize() call deserializes the payload, which can trigger PHP Object Injection if a suitable gadget class is present in the WordPress environment [CWE-502]. The attack requires the attacker to already have admin credentials, limiting the preconditions to high-privilege users.

The advisory does not specify the exact file or function name within the SEOPress plugin that performs the unsafe unserialize() call [ref_id=1]. The vulnerable code path is in the plugin's settings handling logic, which unserializes user input provided via the settings page.

The advisory states the vulnerability is fixed in version 6.5.0.3 [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve replacing the unsafe unserialize() call with a safe alternative such as json_decode() or adding strict input validation and sanitization before deserialization. The fix ensures that user-supplied settings data is no longer passed directly to PHP's unserialize() function, preventing object instantiation from untrusted serialized strings.

The advisory's Proof of Concept section is empty and does not document reproduction steps [ref_id=1]. No other reproduction steps are present in the bundle.