CVE-2025-49393: 
WordPress vulnerability analysis and mitigation

The Sign-up Sheets WordPress plugin by Fetch Designs contains a Deserialization of Untrusted Data vulnerability (CVE-2025-49393) that allows Object Injection. This vulnerability affects all versions of Sign-up Sheets through version 2.3.2. The issue was discovered and reported on September 23, 2025, and received a critical CVSS v3.1 base score of 9.8 (Rapid7, Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and allows unauthenticated attackers to perform PHP Object Injection. While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, if a POP chain exists via additional plugins or themes installed on the target system, it could enable attackers to execute various malicious actions (Rapid7).

The vulnerability could potentially allow attackers to delete arbitrary files, retrieve sensitive data, or execute code if a suitable POP chain is present through other installed plugins or themes. The critical CVSS score of 9.8 indicates the severe potential impact of this vulnerability (Patchstack).

The vulnerability has been fixed in version 2.3.3 of the Sign-up Sheets plugin. Users are strongly advised to update to this version or later immediately. Additionally, Patchstack has issued a mitigation rule to block potential attacks until users can update to the fixed version (Patchstack).