Description
Deserialization of Untrusted Data vulnerability in axiomthemes Cars4Rent cars4rent allows Object Injection.This issue affects Cars4Rent: from n/a through <= 1.4.2.
Published: 2025-08-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Cars4Rent theme contains a deserialization flaw that permits attackers to inject malicious objects. This CWE‑502 vulnerability can enable arbitrary code execution on the WordPress site, potentially compromising all data and services hosted on the server.

Affected Systems

Axiom Themes’ Cars4Rent theme is vulnerable for all releases up to and including version 1.4.2 – any deployment running 1.4.2 or an earlier version is affected; no lower bound is specified.

Risk and Exploitability

The CVSS score of 9.8 labels the flaw as critical, yet the EPSS score of less than 1% indicates a very low current exploitation probability. The flaw is not listed in CISA KEV. The likely attack vector involves injecting crafted serialized data via any input path processed by the theme (e.g., form fields or options), which could allow remote code execution.

Generated by OpenCVE AI on April 30, 2026 at 08:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cars4Rent theme to the latest released version that fixes the deserialization issue (any release higher than 1.4.2).
  • If the update is not yet available, disable or delete the theme from the WordPress installation until a patched version is released.
  • Review and restrict any other plugins or custom code that performs unserialize() on user supplied data to prevent similar injection vulnerabilities.

Generated by OpenCVE AI on April 30, 2026 at 08:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28307 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stijnvanderree Laposta WooCommerce allows Stored XSS. This issue affects Laposta WooCommerce: from n/a through 1.9.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stijnvanderree Laposta WooCommerce allows Stored XSS. This issue affects Laposta WooCommerce: from n/a through 1.9.1. Deserialization of Untrusted Data vulnerability in axiomthemes Cars4Rent cars4rent allows Object Injection.This issue affects Cars4Rent: from n/a through <= 1.4.2.
Title WordPress Laposta WooCommerce plugin <= 1.9.1 - Cross Site Scripting (XSS) vulnerability WordPress Cars4Rent Theme <= 1.4.2 - PHP Object Injection Vulnerability
Weaknesses CWE-79 CWE-502
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stijnvanderree Laposta WooCommerce allows Stored XSS. This issue affects Laposta WooCommerce: from n/a through 1.9.1.
Title WordPress Laposta WooCommerce plugin <= 1.9.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.864Z

Reserved: 2025-06-04T15:44:32.254Z

Link: CVE-2025-49434

cve-icon Vulnrichment

Updated: 2025-08-20T18:00:45.849Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:37.653

Modified: 2026-04-23T15:31:40.630

Link: CVE-2025-49434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:30:06Z

Weaknesses