CVE-2025-58592: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability was discovered in Cozmoslabs TranslatePress multilingual WordPress plugin (CVE-2025-58592). The vulnerability affects TranslatePress versions through 2.10.2 and allows Object Injection. The issue was discovered and reported on September 24, 2025, by security researcher Phat RiO from BlueRock (Patchstack VDP, Wordfence Report).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This scoring indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, though with high attack complexity (NVD).

The vulnerability can be exploited to perform object injection attacks, which could potentially lead to arbitrary code execution, website logic exploitation, or denial of service. A successful attack could allow malicious actors to gain unauthorized access to the admin panel (Patchstack VDP).

The vulnerability has been patched in TranslatePress version 2.10.3. Website administrators are strongly advised to update to this version or later immediately. For users of Patchstack security services, a mitigation rule has been issued to block potential attacks until the update can be applied (Patchstack VDP).