CVE-2025-7504
Published
CVSS v3
7.5
HIGH
CVSS v2
N/A
Affected
2
PROJECTS
Description
The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit.
A social network between WordPresses. Privacy focused, by itself a self-hosted RSS++ reader with notifications. Combine with other plugins to make your WordPress a full personal Mastodon instance.
GitHub<p>The Friends plugin turns your WordPress into a self-hosted social reader. Follow people via RSS and ActivityPub (Mastodon and other Fediverse platforms) and read their posts through one of several built-in themes — Mastodon-style, Google Reader-style, or the default view — with dark mode support.</p>
<p><strong>Combine this plugin with the ActivityPub plugin to participate in the Fediverse from your own site. Use the Enable Mastodon Apps plugin to use mobile and desktop Mastodon apps with your WordPress.</strong></p>
<p>The plugin is designed to be extensible: other plugins can add parsers for new feed sources, new themes, and new functionality like saving posts to a collection or sending them to an eReader.</p>
<p>You can…<br />
– Choose from multiple themes: Mastodon-style, Google Reader-style, and a block theme with dark mode.<br />
– Organize your subscriptions into folders.<br />
– Have multiple feeds per person (blog, social media, etc.).<br />
– Categorize incoming content with Post Formats and view all posts of a certain format across your feeds.<br />
– Define rules to filter incoming content.<br />
– Get full-post email notifications from your favorite blogs.<br />
– Save posts to a collection for later reference (via the Post Collection plugin).<br />
– Send posts to your eReader (via the Send to E-Reader plugin).<br />
– Subscribe to any site with one click using the <a href="https://chromewebstore.google.com/detail/friends/ledbghpaplkpclndlommpbokndieflhl" rel="nofollow ugc">Friends browser extension</a> (also available <a href="https://addons.mozilla.org/en-US/firefox/addon/wpfriends/" rel="nofollow ugc">for Firefox</a>).</p>
<p><a href="https://www.youtube.com/watch?v=4bz6GluXnsk" rel="nofollow ugc"></a></p>
<h3>Philosophy</h3>
<p>The Friends Plugin was built to make use of what WordPress provides:</p>
<ul>
<li>You use the WordPress infrastructure (Gutenberg or Classic Editor, what you prefer) to create your posts.</li>
<li>Followed people are stored as taxonomy terms, their posts are cached as a custom post type — delete the term to unfollow.</li>
<li>No extra tables: The Friends plugin just uses a post type, options, and some taxonomies to store its data. When you delete the plugin, your WordPress will be as slim as before.</li>
</ul>
<p>The logo was created by Ramon Dodd, @ramonopoly. Thank you!</p>
<p>Documentation for the plugin can be found on the <a href="https://github.com/akirk/friends/wiki" rel="nofollow ugc">GitHub project Wiki</a>.</p>
<p><strong>Development of this plugin is done <a href="https://github.com/akirk/friends" rel="nofollow ugc">on GitHub</a>. Pull requests welcome. Please see <a href="https://github.com/akirk/friends/issues" rel="nofollow ugc">issues</a> reported there before going to the <a href="https://wordpress.org/support/plugin/friends" rel="ugc">plugin forum</a>.</strong></p>
WordPress Plugin Directory