Description
Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress jarvis allows Object Injection.This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through <= 1.8.11.
Published: 2025-05-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw that allows PHP Object Injection. An attacker can supply crafted serialized payloads that are processed by the Jarvis theme, potentially influencing the application behavior. The weakness is described by CWE‑502 and carries a CVSS score of 9.8.

Affected Systems

The affected vendor is AncoraThemes and the product is the Jarvis – Night Club, Concert, Festival WordPress theme. All releases from the initial public version up to and including 1.8.11 are vulnerable. Users running any of these versions should verify their installation and apply the fix if possible.

Risk and Exploitability

With a CVSS of 9.8 the risk is high. The EPSS score of less than 1% suggests that the exploit is not widely observed yet, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is remote: a malicious user can inject a serialized object via a web request that the theme processes, leading to potential security compromises. This vulnerability requires the attacker to deliver the payload to a code path that performs unserialization without proper validation, which is typical for PHP object injection attacks. Timely patching is essential to mitigate potential security risks.

Generated by OpenCVE AI on May 1, 2026 at 08:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jarvis theme to the latest version released by AncoraThemes, which resolves the unserialization flaw.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the Jarvis theme to eliminate the vulnerable code path.
  • Apply a web application firewall rule to block requests containing suspicious serialized data structures (e.g., strings with "__wakeup" or "__destruct" sequences) before they reach the WordPress instance.

Generated by OpenCVE AI on May 1, 2026 at 08:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27823 Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress allows Object Injection. This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through 1.8.11.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress allows Object Injection. This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through 1.8.11. Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress jarvis allows Object Injection.This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through <= 1.8.11.
Title WordPress Jarvis – Night Club, Concert, Festival WordPress <= 1.8.11 - PHP Object Injection Vulnerability WordPress Jarvis – Night Club, Concert, Festival WordPress theme <= 1.8.11 - PHP Object Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress allows Object Injection. This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through 1.8.11.
Title WordPress Jarvis – Night Club, Concert, Festival WordPress <= 1.8.11 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:21.018Z

Reserved: 2025-04-04T10:02:46.814Z

Link: CVE-2025-32292

cve-icon Vulnrichment

Updated: 2025-05-23T13:38:49.126Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:29.673

Modified: 2026-04-23T15:28:54.837

Link: CVE-2025-32292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses