CVE-2025-30949: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability was discovered in Guru Team's Site Chat on Telegram WordPress plugin (CVE-2025-30949). The vulnerability affects all versions up to and including 1.0.4, and was disclosed on July 7, 2025. The issue allows unauthenticated attackers to perform PHP Object Injection through the deserialization of untrusted input (Patchstack, Rapid7).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from the plugin's handling of untrusted data during deserialization operations, which can lead to PHP Object Injection (Patchstack).

While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, the vulnerability could be exploited if another plugin or theme containing a POP chain is installed on the site. In such cases, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code, depending on the available POP chain (Rapid7).

Site administrators are advised to update to version 1.0.6 or later, which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).