CVE-2025-49438
Published: 20 August 2025
Summary
CVE-2025-49438 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-49438 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Simple Login Log WordPress plugin developed by Max Chirkov. The flaw enables Object Injection and affects all versions of the plugin from n/a through 1.1.3.
The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue exploitable over the network by unauthenticated attackers. Exploitation requires high attack complexity and no user interaction, but successful attacks can result in high impacts to confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simple-login-log/vulnerability/wordpress-simple-login-log-plugin-1-1-3-php-object-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25356
Vulnerability details
Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection. This issue affects Simple Login Log: from n/a through 1.1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection via untrusted deserialization in a public-facing WordPress plugin directly enables remote exploitation of a web application by unauthenticated attackers, mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the deserialization of untrusted data flaw in the Simple Login Log WordPress plugin.
Mandates validation of untrusted data inputs to block object injection via unsafe deserialization in the plugin.
Enables vulnerability scanning to identify the presence of CVE-2025-49438 in the WordPress plugin for subsequent remediation.