Description
Deserialization of Untrusted Data vulnerability in ConveyThis ConveyThis conveythis-translate allows Object Injection.This issue affects ConveyThis: from n/a through <= 269.1.
Published: 2025-09-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ConveyThis’s WordPress Translate widget deserializes untrusted data, providing an object injection flaw that enables an attacker to execute arbitrary PHP code on the server and potentially take full control. This type of vulnerability is categorized as CWE‑502 and can directly compromise confidentiality, integrity, and availability of the affected site.

Affected Systems

The affected product is the ConveyThis WordPress Translate plugin, maintained by the vendor ConveyThis. All releases from the initial version through and including 269.1 are vulnerable, as the deserialization flaw exists throughout that range. No other products or versions are explicitly listed.

Risk and Exploitability

The CVSS score of 7.2 signals a high severity issue, while the EPSS score of less than 1% suggests the likelihood of exploitation is currently low. The vulnerability is not present in the CISA KEV catalog. Based on the description, it is inferred that attackers could target the plugin through any interface that accepts serialized input, such as the language selection widget or shared translation links, to inject malicious objects remotely.

Generated by OpenCVE AI on April 30, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ConveyThis plugin to the latest released version that removes the insecure unserialization process.
  • If an upgrade is not immediately possible, disable the plugin entirely to eliminate the deserialization vector while investigating a long‑term fix.
  • Ensure that any future development avoids unserializing data from untrusted sources; implement strict input validation and consider replacing the vulnerable functionality with a secure alternative.

Generated by OpenCVE AI on April 30, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30745 Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress – ConveyThis allows Object Injection. This issue affects Language Translate Widget for WordPress – ConveyThis: from n/a through 264.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress – ConveyThis allows Object Injection. This issue affects Language Translate Widget for WordPress – ConveyThis: from n/a through 264. Deserialization of Untrusted Data vulnerability in ConveyThis ConveyThis conveythis-translate allows Object Injection.This issue affects ConveyThis: from n/a through <= 269.1.
Title WordPress Language Translate Widget for WordPress – ConveyThis Plugin <= 264 - PHP Object Injection Vulnerability WordPress ConveyThis plugin <= 269.1 - PHP Object Injection vulnerability
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Conveythis
Conveythis language Translate Widget For Wordpress Conveythis
Wordpress
Wordpress wordpress
Vendors & Products Conveythis
Conveythis language Translate Widget For Wordpress Conveythis
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress – ConveyThis allows Object Injection. This issue affects Language Translate Widget for WordPress – ConveyThis: from n/a through 264.
Title WordPress Language Translate Widget for WordPress – ConveyThis Plugin <= 264 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Conveythis Language Translate Widget For Wordpress Conveythis
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:38.548Z

Reserved: 2025-08-22T11:36:12.721Z

Link: CVE-2025-57919

cve-icon Vulnrichment

Updated: 2025-09-23T14:05:06.689Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:48.557

Modified: 2026-04-23T15:33:01.910

Link: CVE-2025-57919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:30:29Z

Weaknesses