Description
Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through <= 5.2.2.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Altair theme for WordPress contains a PHP object injection flaw arising from deserializing untrusted input without validation. This flaw can allow an attacker to instantiate arbitrary PHP objects, potentially leading to remote code execution or other compromise, classified as CWE‑502.

Affected Systems

The vulnerability affects ThemeGoods Altair theme for WordPress, versions n/a through 5.2.2, on any WordPress installation that uses those theme versions.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating critical severity, and an EPSS score below 1%, showing a low current probability of exploitation. It is not listed in the CISA KEV catalog. Because object injection is possible, it is inferred that an attacker who can supply crafted serialized data via an HTTP request to the theme may achieve remote code execution, which could give full system compromise, data loss, or disclosure.

Generated by OpenCVE AI on May 1, 2026 at 08:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Altair theme to a version newer than 5.2.2.
  • If an upgrade is not feasible, deactivate or uninstall the Altair theme until a fixed version is released.
  • Deploy a web application firewall to detect and block attempts to send malicious serialized payloads to the site.

Generated by OpenCVE AI on May 1, 2026 at 08:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15786 Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.This issue affects Altair: from n/a through 5.2.2.
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.This issue affects Altair: from n/a through 5.2.2. Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through <= 5.2.2.
References

Thu, 29 May 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods altair
CPEs cpe:2.3:a:themegoods:altair:*:*:*:*:*:wordpress:*:*
Vendors & Products Themegoods
Themegoods altair

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 20:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.This issue affects Altair: from n/a through 5.2.2.
Title WordPress Altair theme <= 5.2.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themegoods Altair
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:28.970Z

Reserved: 2025-04-14T11:30:45.185Z

Link: CVE-2025-32928

cve-icon Vulnrichment

Updated: 2025-05-19T21:10:58.334Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T20:15:22.590

Modified: 2026-04-23T15:29:23.007

Link: CVE-2025-32928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses