Description
Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection.This issue affects Anona: from n/a through <= 8.0.
Published: 2026-01-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data that permits PHP Object Injection within the Anona theme for WordPress. This flaw allows an attacker to construct malicious serialized payloads that, when processed by the theme, can lead to arbitrary code execution or other severe compromise. The weakness is classified as CWE‑502 and exposes the full ability for an attacker to take control of the affected site.

Affected Systems

The issue affects the WordPress Anona theme from version n/a through 8.0, distributed by the vendor AivahThemes under the product name Anona. WordPress installations running any of these versions are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a relatively low current exploitation probability. Because the flaw involves PHP object injection, the most likely attack vector is through any user input that is passed to the theme’s unserialize function, such as custom fields or theme configuration options; this inference is drawn from the description of the vulnerability. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 29, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Anona theme to the latest patched version that removes the vulnerable unserialize usage.
  • Audit the theme code to ensure that any remaining unserialize calls process only trusted data and consider replacing them with safer alternatives or adding strict validation.
  • Remove or sanitize any legacy theme settings or custom code that passes user-supplied data to unserialize functions.

Generated by OpenCVE AI on April 29, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection.This issue affects Anona: from n/a through <= 8.0.
Title WordPress Anona theme <= 8.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:08:00.236Z

Reserved: 2025-12-24T14:00:47.909Z

Link: CVE-2025-68903

cve-icon Vulnrichment

Updated: 2026-01-27T21:00:33.511Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:14.113

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses