Description
Deserialization of Untrusted Data vulnerability in axiomthemes White Rabbit whiterabbit allows Object Injection.This issue affects White Rabbit: from n/a through <= 1.5.2.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The White Rabbit WordPress theme deserializes untrusted user input without proper validation, enabling PHP Object Injection. An attacker who can supply crafted payloads can instantiate arbitrary objects, potentially leading to remote code execution or data tampering. The vulnerability is aligned with CWE-502 and carries a CVSS score of 9.8.

Affected Systems

Affected templates belong to the AxiomThemes White Rabbit theme for WordPress. Any installation using version 1.5.2 or earlier is vulnerable. Versions beyond 1.5.2 are considered patched.

Risk and Exploitability

The CVSS base score of 9.8 classifies the issue as Critical. EPSS indicates exploitation probability is less than 1 %. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread attacks yet, but the high severity score and lack of mitigations make it a high‑priority risk. Based on the description, it is inferred that the attack vector involves crafted requests to the theme’s deserialization endpoints. It is also inferred, due to the lack of explicit authentication requirements in the provided data, that no authentication is required if the theme’s endpoints are publicly accessible.

Generated by OpenCVE AI on April 29, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of the White Rabbit theme that is newer than 1.5.2, if one exists, immediately.
  • If an upgrade is not feasible, disable the White Rabbit theme and replace it with a secure alternative.
  • Review and remove custom code or plugins that might feed untrusted data into the theme’s deserialization logic, and enforce strict input validation on all WordPress sites.

Generated by OpenCVE AI on April 29, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes white Rabbit
CPEs cpe:2.3:a:axiomthemes:white_rabbit:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes white Rabbit

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in axiomthemes White Rabbit whiterabbit allows Object Injection.This issue affects White Rabbit: from n/a through <= 1.5.2.
Title WordPress White Rabbit theme <= 1.5.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Axiomthemes White Rabbit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:43:00.651Z

Reserved: 2025-09-25T15:34:33.695Z

Link: CVE-2025-60226

cve-icon Vulnrichment

Updated: 2025-10-23T17:28:58.016Z

cve-icon NVD

Status : Modified

Published: 2025-10-22T15:15:59.757

Modified: 2026-01-20T15:17:35.367

Link: CVE-2025-60226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses