CVE-2025-39358: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability was discovered in Teastudio.Pl WP Posts Carousel plugin, identified as CVE-2025-39358. The vulnerability affects versions through 1.3.12 of the WP Posts Carousel plugin and allows for Object Injection. The issue was initially reported on April 9, 2025, by security researcher Martino Spagnuolo (r3verii) and was publicly disclosed on May 29, 2025 (Patchstack).

The vulnerability is classified as a PHP Object Injection vulnerability, stemming from the deserialization of untrusted data. It has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is identified under CWE-502 (Deserialization of Untrusted Data) and requires Contributor-level privileges to exploit (Wiz, Patchstack).

The vulnerability could potentially allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The high CVSS score of 8.8 indicates significant potential impact on the confidentiality, integrity, and availability of affected systems (Patchstack).

The vulnerability has been patched in version 1.3.13 of the WP Posts Carousel plugin. Users are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).