Description
Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through <= 2.4.
Published: 2026-01-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Deserialization of Untrusted Data flaw that permits PHP Object Injection. An attacker who can supply a crafted serialized payload can instantiate arbitrary PHP objects in the context of the WordPress administration, potentially leading to arbitrary code execution or privilege escalation. The weakness is classified as CWE‑502. The impact could compromise the confidentiality, integrity, or availability of the WordPress site, and, if the attacker gains full control of the server, could affect the entire hosting environment.

Affected Systems

The designthemes Vivagh theme, versions from the earliest release up to and including 2.4, is affected. Any WordPress installation that has this theme active is vulnerable; no other products or themes are listed.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity vulnerability. The EPSS score is below 1 %, suggesting that the exploitation probability is low at this time. The vulnerability is not catalogued in CISA’s KEV. It is most likely to be exploited when an attacker can deliver a crafted serialized string via the theme’s processing path – for example, through an unfiltered user input or a malicious dashboard link. The exploit requires that the vulnerable theme’s component is executed in an authenticated context, therefore successful exploitation would likely target users with administrative or similar privileges.

Generated by OpenCVE AI on April 29, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vivagh theme to the latest available version (v2.5 or later).
  • If an upgrade is not feasible, immediately deactivate or remove the Vivagh theme from the WordPress installation.
  • Prevent untrusted data from being deserialized by configuring WordPress to disable or sanitize serialized inputs and ensuring that the theme’s deserialization code is wrapped in strict validation checks.

Generated by OpenCVE AI on April 29, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes vivagh
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes vivagh
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through <= 2.4.
Title WordPress Vivagh theme <= 2.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Designthemes Vivagh
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:07:42.014Z

Reserved: 2025-12-24T14:00:47.909Z

Link: CVE-2025-68899

cve-icon Vulnrichment

Updated: 2026-01-27T21:21:18.848Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:13.607

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses