CVE-2025-30949

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

Tags

WordPress PHP Deserialization

Description

Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram site-chat-on-telegram allows Object Injection.This issue affects Site Chat on Telegram: from n/a through <= 1.0.4.

Analysis

Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.

Technical Context

The vulnerability exploits PHP's native deserialization mechanism (unserialize() function) applied to untrusted input. CWE-502 (Deserialization of Untrusted Data) is the root cause. When user-controlled data is passed directly to unserialize() without validation, an attacker can craft a malicious serialized PHP object. Upon deserialization, if the application has access to gadget chains (common methods in loaded classes that chain together to execute code), the attacker achieves arbitrary object instantiation and method invocation. The Site Chat on Telegram plugin, a WordPress plugin for integrating Telegram messaging, likely deserializes user input in its chat handling or configuration routines without proper sanitization. CWE-502 is particularly dangerous in PHP environments where magic methods like __wakeup(), __destruct(), and __toString() can be chained to bypass normal object initialization controls.

Affected Products

The vulnerability affects the Guru Team Site Chat on Telegram WordPress plugin in all versions from inception through version 1.0.4. The CPE identifier for this product is cpe:2.3:a:guru_team:site-chat-on-telegram:*:*:*:*:*:wordpress:*:* (any version up to 1.0.4). Administrators should check their WordPress plugin dashboard for this plugin and note the current installed version. Details and patch information are available in the Patchstack vulnerability database entry linked in the references section.

Remediation

Update the Site Chat on Telegram plugin to the latest available version beyond 1.0.4 immediately. Navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Site Chat on Telegram, and click Update if available. If no update is shown, contact the plugin vendor (Guru Team) or consult the Patchstack database (https://patchstack.com/database/Wordpress/Plugin/site-chat-on-telegram/vulnerability/wordpress-site-chat-on-telegram-1-0-4-php-object-injection-vulnerability) for the fixed version number and manual update instructions. As a temporary workaround before patching, disable the plugin to eliminate exposure; however, this should not substitute for patching. Ensure WordPress core, all other plugins, and themes are also kept current to prevent secondary attack chains via gadget chain exploitation.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-30949 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy