Description
Deserialization of Untrusted Data vulnerability in ThemeREX Organic Beauty organic-beauty allows Object Injection.This issue affects Organic Beauty: from n/a through <= 1.4.6.
Published: 2025-08-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a flaw in deserialization of untrusted data that permits attackers to perform PHP object injection in the ThemeREX Organic Beauty WordPress theme. This weakness can let an attacker supply crafted serialized objects that the theme processes without adequate validation, resulting in the execution of arbitrary PHP code. The primary impact is the potential for attackers to gain full system compromise, with unrestricted confidentiality, integrity, and availability damage.

Affected Systems

WordPress sites that use the ThemeREX Organic Beauty theme in any version up to and including 1.4.6 are affected. This includes all WordPress installations that have installed the theme directly from the ThemeREX repository or theme marketplace.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical risk level and the EPSS score of less than 1% suggests that exploitation is not yet widespread but remains possible. Because the vulnerability involves PHP object injection through deserialization of untrusted user data, the likely attack vector is remotely crafted HTTP requests directed at the theme’s processing endpoints. No known exploit has been listed in the KEV catalog, but the severity warrants prompt attention.

Generated by OpenCVE AI on April 30, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Organic Beauty theme to a version later than 1.4.6 once the fix is available.
  • If an upgrade cannot be performed, deactivate the theme or switch to a trusted alternative to prevent the vulnerable code from executing.
  • Configure the site to disallow unauthenticated or untrusted access to any endpoints that trigger the theme's deserialization logic, or modify the theme's code to avoid processing external serialized inputs.

Generated by OpenCVE AI on April 30, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25359 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jorge Garcia de Bustos AWStats Script allows Stored XSS. This issue affects AWStats Script: from n/a through 0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jorge Garcia de Bustos AWStats Script allows Stored XSS. This issue affects AWStats Script: from n/a through 0.3. Deserialization of Untrusted Data vulnerability in ThemeREX Organic Beauty organic-beauty allows Object Injection.This issue affects Organic Beauty: from n/a through <= 1.4.6.
Title WordPress AWStats Script plugin <= 0.3 - Cross Site Scripting (XSS) vulnerability WordPress Organic Beauty Theme <= 1.4.6 - PHP Object Injection Vulnerability
Weaknesses CWE-79 CWE-502
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Awstats
Awstats awstats
Wordpress
Wordpress wordpress
Vendors & Products Awstats
Awstats awstats
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jorge Garcia de Bustos AWStats Script allows Stored XSS. This issue affects AWStats Script: from n/a through 0.3.
Title WordPress AWStats Script plugin <= 0.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Awstats Awstats
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:07.320Z

Reserved: 2025-06-11T16:06:23.852Z

Link: CVE-2025-49890

cve-icon Vulnrichment

Updated: 2025-08-20T17:53:58.699Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:38.303

Modified: 2026-04-23T15:31:47.533

Link: CVE-2025-49890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:30:06Z

Weaknesses