Description
Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.
Published: 2025-12-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the WordPress Jannah theme enables PHP object injection. When a maliciously crafted serialized string is processed, an attacker can instantiate arbitrary PHP objects and manipulate class properties, potentially leading to code execution or other privilege escalation within the web application. The very high CVSS score reflects this severe impact on confidentiality, integrity, and availability of the affected site.

Affected Systems

The vulnerability affects the TieLabs Jannah WordPress theme, versions up to and including 7.6.0. Any site using Jannah 7.6.0 or earlier exposes the deserialization path and is at risk.

Risk and Exploitability

The CVSS score of 9.8 denotes critical severity, while the EPSS score of less than 1% indicates the probability of exploitation is currently low but not zero. The issue is not yet listed in CISA’s KEV catalog, but the high impact warrants immediate attention. Attackers would need to supply a serialized payload via a user‑controlled input vector; the exact vector is not specified in the advisory, so it is inferred that a request to a PHP endpoint that processes serialized data would be the entry point. No further prerequisites or privileges are documented, suggesting an unauthenticated or low‑privilege exploitation route.

Generated by OpenCVE AI on April 29, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jannah theme to a version newer than 7.6.0, which removes the vulnerable deserialization code.
  • If an upgrade is not immediately possible, restrict access to any endpoints that accept serialized data by blocking or sanitizing incoming requests, and consider applying PHP’s `unserialize()` restrictions such as the `$allowed_classes` parameter.
  • Disable PHP object serialization where feasible by configuring the theme or server to reject or properly validate serialized inputs before deserialization.

Generated by OpenCVE AI on April 29, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress
Vendors & Products Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.
Title WordPress Jannah theme <= 7.6.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Tielabs Jannah
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:24:30.634Z

Reserved: 2025-10-29T03:07:04.007Z

Link: CVE-2025-64206

cve-icon Vulnrichment

Updated: 2025-12-18T19:29:04.097Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:11.017

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:45:14Z

Weaknesses