Description
Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2.
Published: 2026-01-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data in the Kids Heaven theme. An attacker who can craft a payload that influences the theme’s internal state could instantiate arbitrary objects, potentially leading to execution of unintended code or manipulation of the application. This flaw belongs to CWE-502 and provides a direct path to compromise the integrity and confidentiality of the site.

Affected Systems

The issue affects the DesignThemes Kids Heaven theme for WordPress in all releases from the earliest version up through 3.2. Any instance of this theme that has not been upgraded beyond 3.2 is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity and the EPSS score of less than 1% indicates that current exploitation probabilities are low but not negligible. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread active exploitation has been documented. Based on the description, the likely attack vector involves sending crafted HTTP requests that trigger the theme’s deserialization routine, which may require an authenticated WordPress session with access to theme settings or the ability to influence theme options.

Generated by OpenCVE AI on April 29, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kids Heaven theme to a version newer than 3.2 that contains the fix.
  • If an upgrade is not possible, disable or delete the theme until a patch is available to prevent deserialization exploitation.
  • Limit the permissions for editing theme options to trusted administrators and monitor for anomalous activity or attempts to inject serialized objects.

Generated by OpenCVE AI on April 29, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes kids Heaven
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes kids Heaven
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2.
Title WordPress Kids Heaven theme <= 3.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Designthemes Kids Heaven
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:25:40.409Z

Reserved: 2025-12-09T16:46:41.863Z

Link: CVE-2025-67619

cve-icon Vulnrichment

Updated: 2026-01-29T01:09:33.632Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:02.090

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:15:09Z

Weaknesses