CVE-2025-53586 - Vulnerability Details

- WordPress WeMusic Theme <= 1.9.1 - PHP Object Injection Vulnerability

Description

Deserialization of Untrusted Data vulnerability in NooTheme WeMusic noo-wemusic allows Object Injection.This issue affects WeMusic: from n/a through <= 1.9.1.

Published: 2025-11-06

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic deserialization flaw that permits untrusted data to instantiate PHP objects during unserialize. This flaw can allow an attacker to construct a crafted payload that may result in arbitrary code execution, data tampering, or privilege escalation within the WordPress installation. The related weakness is listed as CWE-502, indicating improper data handling during deserialization.

Affected Systems

The flaw is present in the NooTheme WeMusic WordPress theme for all releases up through version 1.9.1. Users running the theme in any form that processes user-supplied serialized data are impacted.

Risk and Exploitability

The CVSS score of 8.8 reflects a high impact and that the flaw is exploitable via web requests that carry malicious payloads. With an EPSS score of less than 1%, widespread exploitation is currently unlikely, and the issue is not in the CISA KEV catalog. Nonetheless, the attack can be carried out remotely by delivering a crafted serialized object through exposed input points such as theme settings or content fields, making it a significant risk if not mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NooTheme

WeMusic

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.9.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NooTheme WeMusic to version 1.9.2 or later.
If an upgrade is not immediately possible, disable or restrict all theme features that accept serialized data from user input, such as theme options or custom post meta, to prevent unserialize from receiving untrusted payloads.
After applying the patch or restriction, review and purge any previously stored serialized data in the WordPress database that may have been exploited, and verify that all caches and transient objects are refreshed.

Generated by OpenCVE AI on May 1, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00118.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability?_s_id=cve

History

Mon, 27 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability?_s_id=cve

Thu, 13 Nov 2025 11:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability

Thu, 13 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
References		https://vdp.patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability?_s_id=cve

Mon, 10 Nov 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 06 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in NooTheme WeMusic noo-wemusic allows Object Injection.This issue affects WeMusic: from n/a through <= 1.9.1.
Title		WordPress WeMusic Theme <= 1.9.1 - PHP Object Injection Vulnerability
Weaknesses		CWE-502
References		https://vdp.patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-11-06T15:54:13.387Z

Updated: 2026-04-28T16:13:26.988Z

Reserved: 2025-07-03T14:51:13.582Z

Link: CVE-2025-53586

Vulnrichment

Updated: 2025-11-10T19:26:09.226Z

NVD

Status : Deferred

Published: 2025-11-06T16:15:57.373

Modified: 2026-04-27T18:16:22.763

Link: CVE-2025-53586

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object