Cyber Posture

CVE-2025-30773

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 60.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse Unix shell commands and scripts for execution.

Security Summary

CVE-2025-30773 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Cozmoslabs TranslatePress WordPress plugin (translatepress-multilingual). Published on 2025-03-27, it enables Object Injection and affects all versions from n/a through 2.9.6.

The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Attackers require high privileges, such as administrator-level access, to exploit it over the network with low complexity and no user interaction. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe consequences through object injection.

Patchstack has issued an advisory detailing the PHP Object Injection vulnerability in TranslatePress 2.9.6 at https://patchstack.com/database/Wordpress/Plugin/translatepress-multilingual/vulnerability/wordpress-translatepress-2-9-6-php-object-injection-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Deserialization/object injection vulnerability in public-facing WordPress plugin enables RCE via crafted input, directly facilitating exploitation of the web app (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References