Description
Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the ThemeREX Classter theme allows attackers to inject PHP objects. This PHP object injection flaw can lead to arbitrary code execution, data tampering or leakage, and is a client‑side vulnerability with severe impact as indicated by a CVSS score of 9.8. The weakness is classified as deserialization‑related (CWE‑502).

Affected Systems

WordPress sites that use the Classter theme version 2.5 or earlier are affected. The vulnerability applies to all releases from the theme’s initial availability through version 2.5, with no specific patch version identified in the entry. No additional platform enumeration is available beyond the theme name.

Risk and Exploitability

The flaw is highly exploitable, yet the EPSS score is reported as less than 1%, suggesting limited exploitation activity to date. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known widespread incidents. Attackers would likely need to deliver a crafted serialized payload via an HTTP request to a vulnerable endpoint in the theme to trigger the deserialization and achieve remote code execution. The high CVSS base score reflects a very high severity and wide impact across all affected installations.

Generated by OpenCVE AI on April 29, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Classter theme to the latest available version (ensure it is 2.6 or newer if released).
  • If an upgrade is not immediately possible, disable or restrict access to any administrative or AJAX endpoints that trigger theme deserialization logic, using web‑application firewall rules or HTTP 403 blocks.
  • Deploy a web application firewall rule that blocks requests containing serialized PHP payloads aimed at the theme’s deserialization routine.

Generated by OpenCVE AI on April 29, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Thermerex
Thermerex classter
Wordpress
Wordpress wordpress
Vendors & Products Thermerex
Thermerex classter
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5.
Title WordPress Classter theme <= 2.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Thermerex Classter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:44:51.756Z

Reserved: 2025-07-16T08:51:16.735Z

Link: CVE-2025-54001

cve-icon Vulnrichment

Updated: 2026-03-05T15:36:34.760Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:11.547

Modified: 2026-04-22T21:26:58.303

Link: CVE-2025-54001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:45:13Z

Weaknesses