Description
Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.
Published: 2025-06-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The upgradeable WordPress theme Sala contains code that deserializes data without proper validation. This PHP Object Injection flaw allows an attacker to craft a serialized payload that, when processed by the theme, results in arbitrary PHP code execution on the host. The vulnerability is identified as CWE-502, which can lead to complete compromise of the affected website.

Affected Systems

Any WordPress installation using uxper’s Sala theme version 1.1.3 or earlier is affected. The vulnerability exists in every release of the theme from its initial version up to and including 1.1.3. Systems running newer versions of the theme are not impacted.

Risk and Exploitability

The CVSS score of 8.8 signals a high severity exploit. While the EPSS score is reported as < 1%, indicating low current exploitation probability, the potential impact remains severe and the flaw is listed as not in the CISA KEV catalog. The likely attack vector appears to be a remote attacker sending a malicious serialized payload to a page or administrative endpoint that loads theme data, as the description explicitly states deserialization of untrusted data. Therefore, the threat is significant for any public‐facing WordPress site that activates the Sala theme without proper input sanitization.

Generated by OpenCVE AI on April 30, 2026 at 10:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sala theme to the latest release (any version newer than 1.1.3) to remove the deserialization flaw.
  • If an upgrade is not immediately feasible, replace the theme with a different, vetted theme that does not perform unserialization of external data and activate only essential plugins.
  • Monitor application logs for suspicious PHP execution attempts or unexpected object injection patterns to detect exploitation attempts early.

Generated by OpenCVE AI on April 30, 2026 at 10:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19314 Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in uxper Sala sala allows Object Injection.This issue affects Sala: from n/a through <= 1.1.3. Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3. Deserialization of Untrusted Data vulnerability in uxper Sala sala allows Object Injection.This issue affects Sala: from n/a through <= 1.1.3.
References

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.
Title WordPress Sala theme <= 1.1.3 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:19.848Z

Reserved: 2025-06-19T10:03:43.798Z

Link: CVE-2025-52826

cve-icon Vulnrichment

Updated: 2025-06-27T14:05:15.302Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:44.350

Modified: 2026-04-28T19:33:29.563

Link: CVE-2025-52826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:45:26Z

Weaknesses