Description
Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Object Injection.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 15.1.
Published: 2025-08-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a PHP object injection flaw caused by the deserialization of untrusted data within the MediCenter – Health Medical Clinic theme for WordPress. An attacker who can supply crafted serialized payloads could cause the server to instantiate arbitrary PHP objects, allowing execution of arbitrary PHP code and full compromise of the web application. The weakness is identified as CWE-502 and the impact is remote code execution, potentially leading to data theft, defacement, or further lateral movement on the host.

Affected Systems

The affected product is the MediCenter – Health Medical Clinic theme distributed by QuanticaLabs. All releases from the earliest available version through and including version 15.1 are vulnerable. No specific minor revisions were listed, so any instance of the theme at or below 15.1 is considered at risk.

Risk and Exploitability

The CVSS score of 9.8 places this flaw in the highest critical severity range. The EPSS score is reported as less than 1 %, indicating a very low but non‑zero probability of exploitation in the wild; however, the lack of a KEV listing does not exclude the possibility of targeted attacks. The likely attack vector is remote, via HTTP requests that deliver malicious serialized data to the theme’s processing functions. The flaw is inferred to be exploitable without requiring authenticated access, meaning any visitor could potentially trigger it.

Generated by OpenCVE AI on April 30, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MediCenter – Health Medical Clinic theme to the latest released version (15.2 or newer) to eliminate the deserialization flaw and restore secure functionality.
  • If an upgrade is not immediately feasible, temporarily disable or remove any theme functionality that triggers the vulnerable deserialization routines, such as disabling the custom post type or AJAX endpoints that handle serialized data.
  • Implement input validation or sanitization on all payloads directed to the theme, ensuring that only trusted serialized data is processed, or block external sources from sending serialized data.

Generated by OpenCVE AI on April 30, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28545 Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection. This issue affects MediCenter - Health Medical Clinic: from n/a through 15.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection. This issue affects MediCenter - Health Medical Clinic: from n/a through 15.1. Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Object Injection.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 15.1.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection. This issue affects MediCenter - Health Medical Clinic: from n/a through 15.1.
Title WordPress MediCenter - Health Medical Clinic <= 15.1 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:28.353Z

Reserved: 2025-07-16T08:51:37.992Z

Link: CVE-2025-54014

cve-icon Vulnrichment

Updated: 2025-08-20T13:54:52.254Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:45.523

Modified: 2026-04-23T15:32:42.213

Link: CVE-2025-54014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:15:06Z

Weaknesses