CVE-2025-48134: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2025-48134) was discovered in ShapedPlugin LLC's WP Tabs WordPress plugin. The vulnerability affects all versions through 2.2.11 and allows Object Injection. This security issue was discovered by Nguyen Ngoc Quang Bach (maysbachs) and was published on May 16, 2025 (Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 base score of 7.2 (High). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requires high privileges (PR:H), needs no user interaction (UI:N), has unchanged scope (S:U), and can impact confidentiality, integrity, and availability at high levels (C:H/I:H/A:H) (Patchstack).

The vulnerability could potentially allow a malicious actor to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. However, the specific impact varies case by case, and the vulnerability requires administrator-level access to exploit (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects WP Tabs versions up to and including 2.2.11 (Patchstack).