CVE-2025-30889: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2025-30889) was discovered in PickPlugins Testimonial Slider, affecting versions through 2.0.13. The vulnerability was disclosed on April 3, 2025, and allows for Object Injection in the affected WordPress plugin (NVD, Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 8.8 (HIGH). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact potential across confidentiality, integrity, and availability (NVD).

The vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The specific impact varies case by case, but the high CVSS score indicates significant potential for damage (Patchstack).

Users are advised to update to version 2.0.14 or later to resolve the vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).