Description
Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.
Published: 2025-10-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Solar Energy theme for WordPress contains a deserialization weakness that allows untrusted data to be executed as a PHP object. This flaw enables an attacker to create malicious objects that, when unserialized, can execute arbitrary code on the server. The impact includes full compromise of confidentiality, integrity, and availability, as an attacker could inject backdoors or modify site content.

Affected Systems

The vulnerability is present in the Solar Energy theme produced by designthemes for WordPress, affecting all installations using version 3.5 or earlier. Users running WordPress with this theme have a direct path for exploitation if untrusted data reaches the theme’s deserialization logic.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, but the EPSS score of less than 1% suggests that the likelihood of exploitation is currently low. The issue is not listed in CISA’s KEV catalog, meaning there is no confirmed widespread exploitation. The likely attack vector involves supplying crafted serialized input to the theme, perhaps through form fields, URL parameters, or theme settings that are not properly validated.

Generated by OpenCVE AI on April 29, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Solar Energy theme to the latest release (any version beyond 3.5) to remove the deserialization flaw
  • If a quick upgrade is not possible, temporarily deactive or replace the Solar Energy theme to prevent the vulnerability from being reachable
  • Limit input that passes through the theme by validating or sanitizing payloads before they reach PHP’s unserialize function; consider disabling PHP’s native unserialization where the theme may misuse it

Generated by OpenCVE AI on April 29, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.
Title WordPress Solar Energy theme <= 3.5 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:37:51.256Z

Reserved: 2025-04-04T10:02:38.418Z

Link: CVE-2025-32283

cve-icon Vulnrichment

Updated: 2025-10-22T19:52:14.824Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:33.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-32283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:00:13Z

Weaknesses