CVE-2025-49438: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2025-49438) was discovered in Max Chirkov Simple Login Log WordPress plugin. The vulnerability affects versions through 1.1.3 and allows Object Injection. The issue was disclosed on August 20, 2025, and was assigned a CVSS v3.1 base score of 7.2 (High) (Patchstack, NVD).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires high privileges, but no user interaction, and can potentially impact confidentiality, integrity, and availability (NVD).

The vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The specific impact varies case by case, but the high CVSS score indicates significant potential for damage (Patchstack).

No official fix is available as the software appears to be abandoned, having not received updates for over a year. The recommended mitigation is to remove and replace the plugin with an alternative solution (Patchstack).