CVE-2025-39495 - Vulnerability Details

- WordPress Avantage Theme <= 2.4.9 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in BoldThemes Avantage avantage allows Object Injection.This issue affects Avantage: from n/a through <= 2.4.9.

Published: 2025-05-23

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a deserialization of untrusted data that allows PHP object injection within the BoldThemes Avantage WordPress theme. By crafting a malicious payload, an attacker can create arbitrary PHP objects and trigger their magic methods, potentially leading to remote code execution, data theft, or site compromise. The vulnerability is classified under CWE‑502 and the official description indicates it affects all theme releases through version 2.4.9.

Affected Systems

Any WordPress installation using the BoldThemes Avantage theme up to and including version 2.4.9 is vulnerable. This includes sites that have not applied the latest theme revision or have applied earlier patched releases before 2.4.9. The impact is confined to sites running the threatened theme and does not affect other WordPress components directly.

Risk and Exploitability

The CVSS score of 9.8 denotes critical severity, while the EPSS score of less than 1% suggests a currently low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the nature of the flaw, the likely attack vector is remote via HTTP requests that trigger the theme’s deserialization logic. An attacker who can send a crafted payload to the affected WordPress site may achieve full code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BoldThemes

Avantage

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.4.9

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the BoldThemes Avantage theme to the latest release that removes the deserialization flaw (preferably version 2.5.0 or newer).
If an update is not immediately possible, replace or disable the vulnerable theme and roll back to a secure WordPress theme that does not expose PHP deserialization.
Deploy a Web Application Firewall rule that blocks or sanitizes PHP object deserialization patterns to mitigate the exploitation of the issue.

Generated by OpenCVE AI on April 30, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-27962	Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection. This issue affects Avantage: from n/a through 2.4.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00369.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/avantage/vulnerability/wordpress-avantage-theme-2-4-6-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection. This issue affects Avantage: from n/a through 2.4.6.	Deserialization of Untrusted Data vulnerability in BoldThemes Avantage avantage allows Object Injection.This issue affects Avantage: from n/a through <= 2.4.9.
Title	WordPress Avantage Theme <= 2.4.6 - PHP Object Injection vulnerability	WordPress Avantage Theme <= 2.4.9 - PHP Object Injection vulnerability
References	https://patchstack.com/database/wordpress/theme/avantage/vulnerability/wordpress-avantage-theme-2-4-6-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Theme/avantage/vulnerability/wordpress-avantage-theme-2-4-6-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 23 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 May 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection. This issue affects Avantage: from n/a through 2.4.6.
Title		WordPress Avantage Theme <= 2.4.6 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/theme/avantage/vulnerability/wordpress-avantage-theme-2-4-6-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-23T12:43:53.570Z

Updated: 2026-04-28T16:12:32.853Z

Reserved: 2025-04-16T06:23:58.700Z

Link: CVE-2025-39495

Vulnrichment

Updated: 2025-05-23T13:29:26.116Z

NVD

Status : Deferred

Published: 2025-05-23T13:15:31.210

Modified: 2026-04-23T15:29:40.280

Link: CVE-2025-39495

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object