Description
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference grandconference allows Object Injection.This issue affects Grand Conference: from n/a through <= 5.3.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ThemeGoods Grand Conference theme contains a deserialization of untrusted data flaw, classified as PHP Object Injection (CWE-502). When an attacker can supply serialized data that is later unserialized by the theme, malicious objects can be instantiated, enabling arbitrary code execution or manipulation of the application’s state. The vulnerability is severe, with a CVSS score of 9.8, indicating that successful exploitation could compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The Grand Conference WordPress theme from ThemeGoods is affected. All releases through version 5.3, including any 5.3.x, are vulnerable. No further product or version details are available beyond the noted range.

Risk and Exploitability

The low EPSS score (< 1%) suggests that exploitation is unlikely to be widespread or automated at present, and the vulnerability is not yet listed in CISA’s KEV catalog. The attack vector is inferred to require the attacker’s ability to submit data that is deserialized by the theme, such as through form inputs, POST requests, or any mechanism that feeds serialized values to the theme’s code. The high CVSS score emphasizes the criticality of gaining remote code execution if the flaw is triggered.

Generated by OpenCVE AI on April 30, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Grand Conference theme to the latest release, which removes the vulnerable deserialization code.
  • If an update is not immediately possible, disable or uninstall the Grand Conference theme to eliminate the attack surface.
  • Ensure that any serialized data processed by the theme is strictly validated or replace unserialization with safe alternatives, following best practices for input validation and avoiding unserialize on untrusted data.

Generated by OpenCVE AI on April 30, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15781 Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.This issue affects Grand Conference: from n/a through 5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.This issue affects Grand Conference: from n/a through 5.2. Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference grandconference allows Object Injection.This issue affects Grand Conference: from n/a through <= 5.3.
Title WordPress Grand Conference theme <= 5.2 - PHP Object Injection vulnerability WordPress Grand Conference theme <= 5.3 - PHP Object Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 28 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods grand Conference
CPEs cpe:2.3:a:themegoods:grand_conference:*:*:*:*:*:wordpress:*:*
Vendors & Products Themegoods
Themegoods grand Conference

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 20:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.This issue affects Grand Conference: from n/a through 5.2.
Title WordPress Grand Conference theme <= 5.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themegoods Grand Conference
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.330Z

Reserved: 2025-04-16T06:22:10.075Z

Link: CVE-2025-39354

cve-icon Vulnrichment

Updated: 2025-05-19T21:11:31.941Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T20:15:23.337

Modified: 2026-04-23T15:29:23.937

Link: CVE-2025-39354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses