Description
Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop ciyashop allows Object Injection.This issue affects CiyaShop: from n/a through <= 4.18.0.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Potenzaglobalsolutions CiyaShop suffers a Deserialization of Untrusted Data vulnerability (CWE-502) that allows PHP Object Injection. A malicious actor can supply crafted serialized data, causing the application to instantiate objects with attacker-controlled properties and execute arbitrary code on the server. The CVSS score of 9.8 indicates a critical severity, meaning the potential impact includes complete compromise of the WordPress site and any connected services.

Affected Systems

The vulnerability affects the WordPress CiyaShop theme provided by Potenzaglobalsolutions, impacting all releases up to and including version 4.18.0. Both the theme and its associated WordPress installation are at risk if the affected theme is active.

Risk and Exploitability

Despite the high CVSS score, the EPSS score is reported as less than 1%, suggesting that widespread exploitation is currently low. The attack vector is inferred to be the injection of malicious serialized objects via inputs that the theme processes, such as theme options, widgets, or administrative interfaces. Because the vulnerability is not listed in CISA’s KEV catalog, there is no known active exploitation at the time of this analysis, but the potential for exploitation remains high and should be treated as a critical threat.

Generated by OpenCVE AI on April 30, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CiyaShop theme to a version newer than 4.18.0, applying the vendor‑issued security patch as soon as it is available.
  • If an update cannot be applied immediately, disable the theme or remove it from the active theme list to eliminate the vulnerable code path while maintaining the site in a minimal functional state.
  • Restrict access to any administrative or AJAX endpoints that accept serialized data, ensuring that only trusted administrators can utilize them, and monitor logs for anomalous deserialization activity.

Generated by OpenCVE AI on April 30, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15784 Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0.
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0. Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop ciyashop allows Object Injection.This issue affects CiyaShop: from n/a through <= 4.18.0.
References

Thu, 29 May 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Potenzaglobalsolutions
Potenzaglobalsolutions ciyashop
CPEs cpe:2.3:a:potenzaglobalsolutions:ciyashop:*:*:*:*:*:wordpress:*:*
Vendors & Products Potenzaglobalsolutions
Potenzaglobalsolutions ciyashop

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 20:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0.
Title WordPress CiyaShop theme <= 4.18.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Potenzaglobalsolutions Ciyashop
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.316Z

Reserved: 2025-04-16T06:22:10.074Z

Link: CVE-2025-39349

cve-icon Vulnrichment

Updated: 2025-05-19T21:11:11.493Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T20:15:22.890

Modified: 2026-04-23T15:29:23.363

Link: CVE-2025-39349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses