Description
Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7.
Published: 2025-07-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hillter theme contains a deserialization flaw that allows attacker controlled serialized data to be parsed by the PHP runtime, resulting in PHP Object Injection. This weakness can enable arbitrary code execution and compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

AweThemes Hillter theme versions from the earliest release through 3.0.7 are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% shows that the exploitation probability is currently very low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, through any WordPress request that accepts serialized input, such as form data or URL parameters, that can be crafted by an attacker to inject malicious objects.

Generated by OpenCVE AI on May 1, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hillter theme to a version newer than 3.0.7 provided by AweThemes.
  • If an update is not immediately available, disable or switch to an alternative theme to remove the vulnerable code.
  • Consider implementing input validation or a web application firewall that blocks suspicious serialized payloads to mitigate potential exploitation until a patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21598 Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in awethemes Hillter hillter allows Object Injection.This issue affects Hillter: from n/a through <= 3.0.7. Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7. Deserialization of Untrusted Data vulnerability in awethemes Hillter hillter allows Object Injection.This issue affects Hillter: from n/a through <= 3.0.7.
References

Wed, 16 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00038}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7.
Title WordPress Hillter theme <= 3.0.7 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:34.304Z

Reserved: 2025-01-23T14:53:25.027Z

Link: CVE-2025-24777

cve-icon Vulnrichment

Updated: 2025-07-16T13:22:53.800Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:23.530

Modified: 2026-04-28T19:29:33.477

Link: CVE-2025-24777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses