The Melapress Login Security plugin for WordPress contains a deserialization fault that permits untrusted data to be treated as serialised PHP objects, enabling an attacker to trigger PHP object injection. This weakness (CWE‑502) can lead to remote code execution if crafted payloads are processed by the plugin, potentially compromising the entire WordPress site and any underlying servers. The CVSS score of 6.6 indicates a moderate severity, and the EPSS score of < 1% indicates a low likelihood of exploitation at the moment, though the known exploitation vector remains possible.

It affects the Melapress MelaPress Login Security plugin for WordPress. Vendors are Melapress, and the product is the Login Security plug‑in. All releases from the earliest documented version up to and including version 2.1.0 are vulnerable. Site administrators running any of these versions should consider the plug‑in as unpatched.

The vulnerability is exploitable through the plug‑in’s deserialization of data received from the web interface or any user‑supplied input that the plug‑in processes. An attacker could craft a serialised object payload, compromise PHP’s object creation mechanism, and execute arbitrary code on the server. Despite the low EPSS score, the lack of any release notes in the KEV catalog does not preclude exploitation. Sites with the affected plug‑in, especially those exposed to the public internet, are at moderate risk if not mitigated. The attack vector is likely via web requests to the plug‑in’s endpoints, requiring the site to be publicly reachable.