Description
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is PHP object injection in the Entrepreneur – Booking for Small Businesses WordPress theme, affecting all releases up to 3.1.3. By inserting malicious serialized data, an attacker can cause the theme to deserialize untrusted input, potentially leading to arbitrary code execution on the server. The flaw is categorized as CWE‑502 and can compromise confidentiality, integrity, and availability of the site.

Affected Systems

The product affected is the WordPress theme Entrepreneur – Booking for Small Businesses from Themovation. Versions 3.1.3 and earlier are vulnerable. Any WordPress installation that uses these theme versions and processes user input that reaches the deserialization logic is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The flaw can likely be exploited remotely via the web interface that feeds serialized data to the theme’s PHP code. An attacker who can influence input fields or inject payloads could achieve remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Entrepreneur theme to a patched version (e.g., 3.1.4 or newer if available).
  • If immediate upgrade is not feasible, disable any features that accept serialized data or restrict user input to validated fields, reducing the attack surface.
  • Replace insecure unserialize calls with safe deserialization functions or manually patch the theme’s PHP files to enforce strict type checks and remove raw deserialization.

Generated by OpenCVE AI on June 18, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions.
Title WordPress Entrepreneur - Booking for Small Businesses WordPress Theme theme <= 3.1.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:29:01.211Z

Reserved: 2025-12-29T11:19:37.128Z

Link: CVE-2025-69130

cve-icon Vulnrichment

Updated: 2026-06-17T14:11:14.560Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:00:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data