Description
Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.This issue affects Photography: from n/a through 7.5.2.
Published: 2025-06-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the ThemeGoods Photography theme allows an attacker to inject a malicious serialized PHP object, which can lead to the execution of arbitrary code on the host. The primary impact is a loss of integrity and confidentiality, as the attacker could gain full control of the WordPress site and potentially all data stored on it. This is a classic PHP Object Injection flaw identified as CWE‑502.

Affected Systems

The vulnerability affects the ThemeGoods Photography WordPress theme for all releases up to and including version 7.5.2. Users running any earlier version of the theme on a WordPress installation are exposed to this risk.

Risk and Exploitability

The CVSS score of 8.5 signifies a high severity potential. The EPSS score of less than 1% indicates that, as of the latest data, exploitation is not common, yet the category remains high risk because an attacker can target any vulnerable theme through the network. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS score warrants immediate attention. The likely attack vector is remote, where an attacker crafts and submits a malicious serialized object to a data processing endpoint within the theme.

Generated by OpenCVE AI on April 30, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeGoods Photography theme to a version newer than 7.5.2, downloading the latest release from the vendor’s site.
  • If an upgrade cannot be performed immediately, deactivate the theme to eliminate the vulnerable code path.
  • Review any user‑supplied data processed by the theme and implement strict validation or switch to secure deserialization mechanisms as recommended for CWE‑502.

Generated by OpenCVE AI on April 30, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17127 Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.This issue affects Photography: from n/a through 7.5.2.
History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods photography
CPEs cpe:2.3:a:themegoods:photography:*:*:*:*:*:wordpress:*:*
Vendors & Products Themegoods
Themegoods photography

Fri, 06 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.This issue affects Photography: from n/a through 7.5.2.
Title WordPress Photography theme <= 7.5.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Themegoods Photography
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:45.849Z

Reserved: 2025-05-07T09:55:31.578Z

Link: CVE-2025-47584

cve-icon Vulnrichment

Updated: 2025-06-06T15:41:44.334Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-06T12:15:23.320

Modified: 2026-01-22T21:59:52.237

Link: CVE-2025-47584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:15:36Z

Weaknesses