The vulnerability CVE-2025-49434 in axiomthemes Cars4Rent plugin is caused by deserialization of untrusted data, allowing an attacker to perform object injection. This can lead to remote code execution or other severe impacts due to the manipulation of serialized objects. The issue affects versions up to 1.4.2. The CVSS 3.1 base score is 9.8, reflecting critical severity with network attack vector, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. There is no patch or vendor advisory currently available to confirm remediation status.

Successful exploitation of this vulnerability can result in complete compromise of the affected system, including unauthorized disclosure, modification, or destruction of data, and disruption of service. The critical CVSS score indicates that an attacker can exploit this remotely without authentication or user interaction, making it highly dangerous. No known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling or restricting access to the affected plugin to reduce exposure. Monitor official vendor channels for updates and apply any official fixes promptly once released.