Description
Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw that occurs when untrusted serialized data is deserialized without proper validation. A crafted payload can embed malicious objects, enabling an attacker to execute arbitrary code on the web server. This weakness, identified as CWE-502, can compromise confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The issue affects the BoldThemes Ippsum theme for WordPress, versions from the earliest release through 1.2.0 inclusive. The theme is distributed under the BoldThemes vendor umbrella and is commonly installed on public websites that rely on WordPress as their content management system.

Risk and Exploitability

The CVSS score of 9.8 reflects the severity of the potential impact. The EPSS score is less than 1% indicating that, at this time, the probability of real‑world exploitation is low, but the vulnerability is still serious if it is discovered. The flaw is not listed in the CISA KEV catalog. Attackers would need to supply a malicious serialized payload through an exposed input—most likely an upload or URL parameter—where the theme blindly unserializes data. Based on the description, it is inferred that the attack vector requires an authenticated or unauthenticated HTTP request that reaches the deserialization point and that the victim’s server environment supports PHP object injection. This combination gives the attacker a path to remote code execution if the server’s PHP configuration does not restrict allowable classes during unserialize.

Generated by OpenCVE AI on April 29, 2026 at 11:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ippsum theme to a version newer than 1.2.0, which contains the fix for the PHP object injection flaw.
  • If a version upgrade is not immediately possible, temporarily disable or deactivate the Ippsum theme to remove the vulnerable code path from the live site.
  • If disabling the theme is infeasible, apply a patch that restricts unserialize to allowed classes by adding the "allowed_classes" parameter or otherwise sanitizing input before deserialization.

Generated by OpenCVE AI on April 29, 2026 at 11:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Boldthemes
Boldthemes ippsum
Wordpress
Wordpress wordpress
Vendors & Products Boldthemes
Boldthemes ippsum
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.
Title WordPress Ippsum theme <= 1.2.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Boldthemes Ippsum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:01:08.511Z

Reserved: 2025-12-19T10:17:09.987Z

Link: CVE-2025-68541

cve-icon Vulnrichment

Updated: 2026-02-24T21:00:01.968Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:11.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses