Description
Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.
Published: 2025-05-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A deserialization flaw in the WordPress Acerola plugin permits an attacker to inject arbitrary PHP object data, which can lead to remote code execution, privilege escalation, or other severe consequences. The vulnerability is flagged with a CVSS score of 9.8, indicating a critical level of severity.

Affected Systems

WordPress sites that have the themeton Acerola plugin installed, any version up to and including 1.6.5. The vulnerability exists from the earliest release through 1.6.5, so all installations of those plugin versions are affected.

Risk and Exploitability

The EPSS score of less than 1% suggests that exploitation is currently unlikely, but the high CVSS score and the nature of the flaw mean that a remote attacker could potentially craft malicious serialized data and deliver it via a web request to the vulnerable plugin. The vulnerability is not listed in CISA's KEV catalog, but the combination of a critical severity score and the possibility of remote exploitation makes it a priority for immediate action.

Generated by OpenCVE AI on May 1, 2026 at 08:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Acerola plugin to the latest available version that removes the deserialization flaw.
  • If an upgrade is not available, deactivate or delete the plugin to eliminate the attack surface.
  • Configure a web application firewall or equivalent protection to reject requests containing malformed or suspect serialized data, mitigating potential exploitation attempts.

Generated by OpenCVE AI on May 1, 2026 at 08:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27816 Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in themeton Acerola acerola allows Object Injection.This issue affects Acerola: from n/a through <= 1.6.5. Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.
Title WordPress Acerola theme <= 1.6.5 - PHP Object Injection Vulnerability WordPress Acerola <= 1.6.5 - PHP Object Injection Vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5. Deserialization of Untrusted Data vulnerability in themeton Acerola acerola allows Object Injection.This issue affects Acerola: from n/a through <= 1.6.5.
Title WordPress Acerola <= 1.6.5 - PHP Object Injection Vulnerability WordPress Acerola theme <= 1.6.5 - PHP Object Injection Vulnerability
References

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.
Title WordPress Acerola <= 1.6.5 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.386Z

Reserved: 2025-04-01T13:21:56.251Z

Link: CVE-2025-31927

cve-icon Vulnrichment

Updated: 2025-05-23T13:22:53.382Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:28.900

Modified: 2026-04-28T19:31:25.683

Link: CVE-2025-31927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses