Description
Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.
Published: 2025-05-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection caused by deserialization of untrusted data. An attacker can inject a crafted serialized object which, when deserialized by the Dash plugin, results in the execution of arbitrary PHP code. This flaw gives the attacker complete control over the vulnerable WordPress site, leading to total loss of confidentiality, integrity, and availability of the affected systems. The weakness aligns with CWE‑502.

Affected Systems

The product affected is the WordPress dashboard plugin Dash from themeton. All released versions from the earliest available build through version 1.3 are vulnerable. No other products or versions are noted in the CNA data.

Risk and Exploitability

The base CVSS score of 9.8 indicates a critical severity. The EPSS score of less than 1% implies a low but realistic exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog, so there are no known active public exploits documented yet. Based on the description, the likely attack vector is through the plugin’s data handling paths, where an attacker can supply malicious serialized payloads that are deserialized without proper validation, enabling remote code execution often without authentication.

Generated by OpenCVE AI on April 30, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dash plugin to a version higher than 1.3, which contains the fix for the deserialization issue.
  • If an immediate upgrade is not feasible, disable or completely remove the Dash plugin from the WordPress installation to eliminate the vulnerable code path.
  • Implement application-level input validation or a WAF rule to block malformed or unauthorized serialized object data that could trigger deserialization, thereby reducing the opportunity for exploitation.

Generated by OpenCVE AI on April 30, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27796 Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in themeton Dash dash allows Object Injection.This issue affects Dash: from n/a through <= 1.3. Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.
Title WordPress Dash theme <= 1.3 - PHP Object Injection Vulnerability WordPress Dash <= 1.3 - PHP Object Injection Vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3. Deserialization of Untrusted Data vulnerability in themeton Dash dash allows Object Injection.This issue affects Dash: from n/a through <= 1.3.
Title WordPress Dash <= 1.3 - PHP Object Injection Vulnerability WordPress Dash theme <= 1.3 - PHP Object Injection Vulnerability
References

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.
Title WordPress Dash <= 1.3 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:04.313Z

Reserved: 2025-03-26T09:23:34.537Z

Link: CVE-2025-31049

cve-icon Vulnrichment

Updated: 2025-05-23T13:20:06.369Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:25.990

Modified: 2026-04-28T19:30:56.120

Link: CVE-2025-31049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses