CVE-2025-64353 is a deserialization of untrusted data vulnerability found in the Polylang plugin for WordPress, developed by Chouby. Polylang is widely used to create multilingual websites by managing translations and language switching. The vulnerability exists in versions up to and including 3.7.3. It allows an attacker with at least low-level privileges (authenticated user) to supply crafted serialized data that the plugin deserializes insecurely, leading to object injection. This object injection can enable remote code execution, privilege escalation, or data manipulation, compromising confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, low privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. No patches or exploit code are publicly available yet, but the vulnerability is published and should be considered critical for environments using Polylang. The lack of user interaction and low privilege requirement make it a significant threat for WordPress sites, especially those exposed to the internet.

For European organizations, this vulnerability poses a significant risk to websites using the Polylang plugin, particularly e-commerce, government, and corporate sites relying on multilingual content. Exploitation could lead to unauthorized access to sensitive customer or internal data, defacement or disruption of web services, and potential lateral movement within the network. Given the high impact on confidentiality, integrity, and availability, attackers could steal data, inject malicious content, or cause denial of service. This could result in reputational damage, regulatory penalties under GDPR for data breaches, and operational downtime. Organizations with public-facing WordPress sites that use Polylang are especially vulnerable, as the attack can be performed remotely with minimal privileges and no user interaction.

1. Monitor official Chouby and Polylang channels for security updates and apply patches immediately once released. 2. Until patches are available, consider disabling or removing the Polylang plugin if feasible, especially on critical or sensitive sites. 3. Restrict access to WordPress admin areas to trusted IPs and enforce strong authentication to reduce the risk of low-privilege exploitation. 4. Deploy Web Application Firewalls (WAFs) with rules to detect and block suspicious serialized payloads or object injection attempts. 5. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and deserialization issues. 6. Implement least privilege principles for WordPress users to limit the impact of compromised accounts. 7. Maintain comprehensive backups and incident response plans to quickly recover from potential exploitation.