Description
Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.This issue affects Sign-up Sheets: from n/a through <= 2.3.2.
Published: 2025-11-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates from deserialization of untrusted data within the Sign‑up Sheets plugin, which permits PHP object injection. This weakness, identified as CWE‑502, allows an attacker to craft arbitrary serialized objects that, when processed, can alter object state or execute code within the web application context. The consequence is the potential for full remote code execution, exposing sensitive data, compromising site integrity, and enabling persistence.

Affected Systems

All installations of Fetch Designs Sign‑up Sheets from its earliest releases through version 2.3.2 are vulnerable. WordPress sites that have not upgraded beyond 2.3.2 expose the plugin to this exploitation risk.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is classified as critical, though an EPSS score below 1% indicates the likelihood of exploitation remains low. It is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the probable attack vector is an HTTP request—either via a GET or POST parameter or an internal API call—to the plugin’s endpoint, wherein the attacker supplies a malicious serialized payload. Because remote code execution is possible, administrators should consider the threat high and remediate without delay.

Generated by OpenCVE AI on April 29, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sign‑up Sheets to a version newer than 2.3.2.
  • If upgrading is not an option, uninstall or deactivate the plugin to eliminate the vulnerable logic.
  • Deploy a web application firewall rule that detects and blocks requests containing suspicious serialized payloads targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 29, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Fetchdesigns
Fetchdesigns sign-up Sheets
Wordpress
Wordpress wordpress
Vendors & Products Fetchdesigns
Fetchdesigns sign-up Sheets
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.This issue affects Sign-up Sheets: from n/a through <= 2.3.2.
Title WordPress Sign-up Sheets Plugin <= 2.3.2 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References

Subscriptions

Fetchdesigns Sign-up Sheets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:23:20.575Z

Reserved: 2025-06-04T15:43:46.346Z

Link: CVE-2025-49393

cve-icon Vulnrichment

Updated: 2025-11-10T19:34:55.859Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:53.413

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:30:22Z

Weaknesses