Description
Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer cardealer allows Object Injection.This issue affects Car Dealer: from n/a through < 1.6.8.
Published: 2025-05-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A deserialization vulnerability allowing an attacker to inject arbitrary PHP objects into the WordPress Car Dealer Theme. This flaw, classified as CWE‑502, can enable the creation of malicious objects that result in arbitrary code execution. The impact is that a remote attacker could take control of the affected WordPress site, read or modify data, install backdoors, or deface the website.

Affected Systems

Any WordPress installation running the ThemeMakers Car Dealer theme with a version prior to 1.6.8 is affected. The vulnerability applies to all releases from the first available version up to but not including 1.6.8.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw remotely by sending crafted requests to the theme’s deserialization endpoints. If successfully exploited, the attacker would gain full code execution on the host.

Generated by OpenCVE AI on April 30, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ThemeMakers Car Dealer theme to version 1.6.8 or later
  • If an immediate update is not possible, prevent the affected deserialization logic from executing by disabling or removing the theme’s PHP files that handle deserialization
  • Monitor website and server logs for anomalous activity and restrict administrative access to trusted users only

Generated by OpenCVE AI on April 30, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27957 Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection. This issue affects Car Dealer: from n/a through 1.6.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection.This issue affects Car Dealer: from n/a before 1.6.8. Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer cardealer allows Object Injection.This issue affects Car Dealer: from n/a through < 1.6.8.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection.This issue affects Car Dealer: from n/a before 1.6.7. Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection.This issue affects Car Dealer: from n/a before 1.6.8.
Title WordPress Car Dealer theme < 1.6.7 - PHP Object Injection vulnerability WordPress Car Dealer theme < 1.6.8 - PHP Object Injection vulnerability

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection. This issue affects Car Dealer: from n/a through 1.6.6. Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection.This issue affects Car Dealer: from n/a before 1.6.7.
Title WordPress Car Dealer <= 1.6.6 - PHP Object Injection Vulnerability WordPress Car Dealer theme < 1.6.7 - PHP Object Injection vulnerability

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection. This issue affects Car Dealer: from n/a through 1.6.6.
Title WordPress Car Dealer <= 1.6.6 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.334Z

Reserved: 2025-04-16T06:23:51.711Z

Link: CVE-2025-39480

cve-icon Vulnrichment

Updated: 2025-05-23T13:34:52.404Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:30.460

Modified: 2026-04-23T15:29:38.533

Link: CVE-2025-39480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses