CVE-2025-39358 HIGH

CVE-2025-39358: WordPress WP Posts Carousel <= 1.3.12 - PHP Object Injection Vulnerability

Vendor Teastudio.pl
Product WP Posts Carousel
Weakness CWE-502 · Unsafe deserialization
Published June 6, 2025
Last update April 29, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Object Injection.This issue affects WP Posts Carousel: from n/a through <= 1.3.12.

Explanation of Vulnerability in Simple Terms

02Summary

WP Posts Carousel versions up to 1.3.12 contain a deserialization vulnerability that allows authenticated users with low privileges to execute arbitrary code on the site. An attacker can craft malicious serialized data that, when processed by the plugin, runs their own PHP code with full site access. This affects confidentiality, integrity, and availability of the WordPress installation.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full WordPress permissions.

Potential impact on your site

04Site Impact

Complete site compromise: data theft, malware injection, user account takeover, or site defacement.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

June 6, 2025 CVE published
April 29, 2026 Record updated