CVE-2025-60224
wpshuffle · Subscribe to Download
The wpshuffle Subscribe to Download plugin for WordPress contains a deserialization of untrusted data vulnerability, enabling unauthenticated remote object injection.
Executive summary
A critical deserialization vulnerability in the wpshuffle Subscribe to Download plugin allows unauthenticated attackers to perform remote object injection, potentially leading to full site compromise.
Vulnerability
This vulnerability involves the insecure deserialization of untrusted user-supplied data, which can be leveraged by an unauthenticated attacker to execute arbitrary code or manipulate application objects.
Business impact
The exploitation of this vulnerability poses a severe risk to organizational integrity, as it may result in unauthorized remote code execution on the underlying WordPress server. Given the CVSS score of 9.8, this flaw represents a critical threat capable of leading to complete data exfiltration, site defacement, or the installation of persistent backdoors.
Remediation
Immediate Action: Administrators must immediately update the Subscribe to Download plugin to the latest available version provided by the vendor.
Proactive Monitoring: Security teams should monitor server access logs for anomalous POST requests or serialized strings originating from external, unauthenticated sources.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious serialized PHP objects to provide a temporary layer of protection.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability is classified as critical due to the potential for unauthenticated remote code execution. Organizations should prioritize patching this plugin across all affected WordPress installations to mitigate the risk of total system compromise.