CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-32927

CVSS 9.8v3.1pub. 2025-05-19upd. 2026-04-23

Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery wp-foodbakery allows Object Injection.This issue affects FoodBakery: from n/a through <= 3.3.

🤖 AI Analysis
How it works

The vulnerability (CWE-502) results from improper deserialization of user-supplied data. An attacker can craft a malicious payload and submit it to a vulnerable entry point of the plugin, resulting in the injection and execution of a PHP object on the server side. If appropriate gadget chains (POP chains) exist in the application or installed components, it is possible to escalate the attack to arbitrary code execution or other critical operations.

Impact

An attacker without any authentication can potentially gain full control over the server, including the ability to read and modify data, delete files, or execute arbitrary code (RCE), depending on available gadget chains.

Mitigation & patch

The FoodBakery plugin must be immediately updated to a version higher than 3.3. If an update is not available, the plugin should be deactivated and removed until a patch is released. Details regarding the fix are available in the Patchstack database at the address indicated in the references.

Who is affected

The FoodBakery plugin (wp-foodbakery) by Chimpstudio in all versions up to and including 3.3 (from n/a through <= 3.3) for the WordPress platform.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Chimpgroup Foodbakery

    APP
    Chimpgroup
    ≤ 3.3
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2021-24389MEDIUM6.1ten sam produkt

The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not prope...

CVE-2024-11284CRITICAL9.8PL ✓ten sam vendor

WP JobHunt: nieuwierzytelnione przejęcie konta i privilege escalation

CVE-2024-11285CRITICAL9.8PL ✓ten sam vendor

WP JobHunt dla WordPress – przejęcie konta przez zmianę adresu e-mail

CVE-2024-11286CRITICAL9.8PL ✓ten sam vendor

Authentication bypass w WP JobHunt – przejęcie konta administratora

CVE-2022-0316CRITICAL9.8ten sam vendor

The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordP...

CVE-2025-32927 — Chimpgroup — Foodbakery — CRITICAL — CVSS 9.8 | CVEbaza.pl