Description
Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
Published: 2025-10-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Designthemes Knowledge Base theme contains a PHP Object Injection flaw caused by deserializing data that is not fully validated. Attackers can supply a crafted payload that, when unserialized, creates an instance of a PHP object with malicious state, allowing the execution of arbitrary PHP code or modification of application logic. This results in a full Remote Code Execution condition, potentially compromising confidentiality, integrity, and availability of the affected WordPress site. The vulnerability is identified as CWE‑502.

Affected Systems

WordPress installations that employ designthemes Knowledge Base version 2.9 or earlier are vulnerable. No specific sub‑versions are enumerated beyond the <= 2.9 cutoff, so all iterations in that range should be considered at risk.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity based on the ability to tamper with application logic and gain control. The EPSS score of < 1% indicates that, at present, documented exploitation attempts are rare, yet the vulnerability remains exploitable. It is not listed in the CISA KEV catalog. The attack likely requires delivery of a serialized payload via a web-facing endpoint that accepts user input, typical of WordPress theme behavior; this inference is based on standard theme functionality rather than explicit confirmation in the advisory.

Generated by OpenCVE AI on April 29, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Knowledge Base theme to a version later than 2.9 where the deserialization flaw has been fixed.
  • If an upgrade is not possible, remove the vulnerable theme entirely or disable it to eliminate the exposed surface.
  • Review any custom code or plugins that invoke the theme’s serialization/deserialization functions and enforce strict input validation or use safe unserialisation practices.

Generated by OpenCVE AI on April 29, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes knowledge Base
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes knowledge Base
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
Title WordPress Knowledge Base theme <= 2.9 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Designthemes Knowledge Base
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:43:09.987Z

Reserved: 2025-09-25T15:34:33.695Z

Link: CVE-2025-60228

cve-icon Vulnrichment

Updated: 2025-10-23T17:31:57.542Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:00.003

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:30:15Z

Weaknesses