CVE-2025-58839 - Vulnerability Details

- WordPress eDS Responsive Menu Plugin <= 1.2 - PHP Object Injection Vulnerability

Description

Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Object Injection.This issue affects eDS Responsive Menu: from n/a through <= 1.2.

Published: 2025-09-05

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a deserialization flaw that permits object injection in the eDS Responsive Menu plugin. When an attacker supplies specially crafted serialized data, the plugin may instantiate or modify objects, potentially leading to unintended code execution or manipulation. The weakness is identified as CWE-502. No explicit confirmation of remote code execution is provided, but the flaw permits arbitrary object manipulation.

Affected Systems

All releases of the aThemeArt Translations eDS Responsive Menu plugin up to version 1.2 on WordPress are vulnerable. The issue impacts every instance of the plugin installed on WordPress, regardless of the host environment.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity, while an EPSS score under 1 % suggests a low likelihood of current exploitation. The flaw is not included in the CISA KEV list. Attackers would likely need to interact with the plugin’s configuration or request endpoints that process serialized input; this involves either unauthenticated or authenticated access, as the description does not specify. The exploit requires crafting a malicious serialized payload that, when deserialized by the plugin, performs the injected object action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aThemeArt Translations

eDS Responsive Menu

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the eDS Responsive Menu plugin to version 1.3 or later, which removes the vulnerable deserialization code.
If an immediate update is not possible, disable the plugin or uninstall it until a patched version is available.
Apply a web application firewall rule or security plugin that blocks or validates serialized payloads from reaching the plugin’s input endpoints.

Generated by OpenCVE AI on April 30, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-26938	Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection. This issue affects eDS Responsive Menu: from n/a through 1.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00149.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/eds-responsive-menu/vulnerability/wordpress-eds-responsive-menu-plugin-1-2-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection. This issue affects eDS Responsive Menu: from n/a through 1.2.	Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Object Injection.This issue affects eDS Responsive Menu: from n/a through <= 1.2.
References	https://patchstack.com/database/wordpress/plugin/eds-responsive-menu/vulnerability/wordpress-eds-responsive-menu-plugin-1-2-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/eds-responsive-menu/vulnerability/wordpress-eds-responsive-menu-plugin-1-2-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 05 Sep 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 05 Sep 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection. This issue affects eDS Responsive Menu: from n/a through 1.2.
Title		WordPress eDS Responsive Menu Plugin <= 1.2 - PHP Object Injection Vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/eds-responsive-menu/vulnerability/wordpress-eds-responsive-menu-plugin-1-2-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-09-05T13:45:28.880Z

Updated: 2026-05-12T00:44:36.353Z

Reserved: 2025-09-05T10:49:39.907Z

Link: CVE-2025-58839

Vulnrichment

Updated: 2025-09-05T19:44:03.092Z

NVD

Status : Deferred

Published: 2025-09-05T14:15:57.170

Modified: 2026-04-23T15:33:44.053

Link: CVE-2025-58839

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T15:30:16Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object