Description
Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.
Published: 2025-09-09
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from the deserialization of untrusted data in the ThemeGoods Photography WordPress theme, enabling an attacker to perform PHP Object Injection. This weakness, classified as CWE‑502, can allow an attacker to inject malicious objects, potentially leading to arbitrary code execution, data corruption, or denial of service. The description explicitly states that the issue allows Object Injection, implying the consequence is that an attacker could manipulate the system's internal state or execution flow by inserting crafted objects into the deserialization process.

Affected Systems

ThemeGoods Photography theme for WordPress, versions n/a through <=7.7.2, making all installations of this theme and WordPress sites using those versions susceptible. The affected product is the Photography theme distributed by ThemeGoods within the WordPress ecosystem.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity, and the EPSS score of <1% shows a very low but non-zero likelihood of exploitation at the current time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an unauthenticated request that triggers the theme’s deserialization routine, such as via a crafted URL or form submission. If exploited, an attacker could achieve remote code execution or significant compromise of site integrity and availability.

Generated by OpenCVE AI on April 30, 2026 at 07:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ThemeGoods Photography theme to the latest available version (>=7.7.3) to remove the deserialization flaw.
  • If an immediate upgrade is not feasible, temporarily disable or replace the Photography theme with a trusted alternative until the patch is applied.
  • Limit exposure by removing or restricting access to any administrative interfaces of the Photography theme, and monitor site logs for suspicious deserialization activity.

Generated by OpenCVE AI on April 30, 2026 at 07:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27438 Deserialization of Untrusted Data vulnerability in ThemeGoods Photography. This issue affects Photography: from n/a through 7.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Photography. This issue affects Photography: from n/a through 7.5.2. Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.
Title WordPress Photography theme <= 7.5.2 - Unauthenticated PHP Object Injection vulnerability WordPress Photography Theme <= 7.7.2 - PHP Object Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods photography
CPEs cpe:2.3:a:themegoods:photography:*:*:*:*:*:wordpress:*:*
Vendors & Products Themegoods
Themegoods photography

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Photography. This issue affects Photography: from n/a through 7.5.2.
Title WordPress Photography theme <= 7.5.2 - Unauthenticated PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Themegoods Photography
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:45.844Z

Reserved: 2025-05-07T09:55:31.577Z

Link: CVE-2025-47579

cve-icon Vulnrichment

Updated: 2025-09-09T17:50:23.990Z

cve-icon NVD

Status : Modified

Published: 2025-09-09T17:15:46.670

Modified: 2026-04-23T15:30:32.240

Link: CVE-2025-47579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:15:31Z

Weaknesses