Description
Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection.This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9.
Published: 2026-01-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw that allows attackers to perform object injection. This flaw is classified as CWE‑502 and can result in remote code execution, compromising the confidentiality, integrity, and availability of the affected site. The main risk is that an attacker can craft malicious serialized objects that the theme will unserialize and execute, potentially giving full control over the web application.

Affected Systems

The defect applies to the WordPress ThemeREX Sound | Musical Instruments Online Store theme at versions 1.6.9 and earlier. Sites that use this theme, whether installed on WordPress 5.x or newer, are affected until the theme is updated beyond that release.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity; the EPSS score of less than 1 % suggests a low probability of exploitation, but the lack of a KEV listing does not diminish the importance of remediation. Attackers likely would exploit the flaw by sending a crafted serialized payload to an endpoint or component of the theme that performs unserialization, either via authenticated or unauthenticated requests. The exact attack vector is not disclosed, so defensive measures should assume both scenarios.

Generated by OpenCVE AI on April 29, 2026 at 10:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ThemeREX Sound | Musical Instruments Online Store theme to the latest release available from the vendor.
  • If an immediate update is not possible, deactivate the vulnerable theme or switch to a different, non‑vulnerable theme until a patched version can be installed.
  • Perform a full security scan of the site to detect any injected or malicious content and remediate any findings before returning the site to production.
  • Regularly check the vendor’s website or security advisories for updates or patches that address this vulnerability.

Generated by OpenCVE AI on April 29, 2026 at 10:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection.This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9.
Title WordPress Sound | Musical Instruments Online Store theme <= 1.6.9 - Deserialization of untrusted data vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:41:27.552Z

Reserved: 2025-12-29T11:19:12.555Z

Link: CVE-2025-69079

cve-icon Vulnrichment

Updated: 2026-01-27T15:23:36.903Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:22.170

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:45:09Z

Weaknesses