Description
Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through <= 2.8.
Published: 2025-10-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Designthemes Single Property theme implements object deserialization of untrusted data, exposing PHP Object Injection. This flaw is classified as CWE-502 and can enable an attacker to instantiate arbitrary PHP objects, leading to remote code execution or privilege escalation on the affected WordPress site. The vulnerability is present in all releases of the theme from the initial version up to and including 2.8.

Affected Systems

WordPress sites that have the designthemes Single Property theme installed, version 2.8 or earlier, are affected. No additional products are listed; the theme itself is the sole impacted component.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1%% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA KEV. The attack vector is inferred to involve an attacker supplying crafted serialized data to the theme, which is then deserialized without proper validation. While the exact entry point is not described in the advisory, it is reasonable to assume that any input channel that triggers deserialization could be abused, potentially allowing remote execution of arbitrary code on the host.

Generated by OpenCVE AI on April 29, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Single Property theme to a version later than 2.8 once an official patch is released.
  • If an upgrade is not immediately possible, deactivate or remove the Single Property theme to prevent exploitation.
  • Verify that no untrusted serialized data is being processed by the theme; apply input validation and sanitization measures to all data flowing through the theme's deserialization functions.

Generated by OpenCVE AI on April 29, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through <= 2.8.
Title WordPress Single Property theme <= 2.8 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:43:29.160Z

Reserved: 2025-09-25T15:34:39.168Z

Link: CVE-2025-60234

cve-icon Vulnrichment

Updated: 2025-10-24T12:55:30.440Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:00.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:15:14Z

Weaknesses