Description
Deserialization of Untrusted Data vulnerability in ThemeGoods PhotoMe photome allows Object Injection.This issue affects PhotoMe: from n/a through <= 5.6.11.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a PHP deserialization flaw that allows an attacker to inject arbitrary PHP objects into the ThemeGoods PhotoMe theme. This Object Injection can lead to remote code execution, enabling attackers to compromise the entire WordPress site. The weakness is classified as CWE‑502, deserialization of untrusted data.

Affected Systems

WordPress sites using the ThemeGoods PhotoMe theme, versions 5.6.11 and earlier.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. The EPSS score is below 1 %, showing that exploitation is currently considered unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to provide crafted serialized data, most likely through a theme setting, REST API, or other input vector that accepts untrusted input. Because the flaw enables arbitrary code execution, a successful exploitation would give the attacker full control of the compromised WordPress installation. However, the low EPSS suggests that, as of now, there is minimal evidence of active exploitation in the wild.

Generated by OpenCVE AI on April 27, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PhotoMe theme to the latest available version (versions newer than 5.6.11).
  • If an upgrade is not yet available, disable the PhotoMe theme or switch to a different, non‑vulnerable theme.
  • Review and sanitize any WordPress input that may deserialize data, and consider disabling or restricting features that trigger the vulnerable code path until a patch is applied.

Generated by OpenCVE AI on April 27, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods photome
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods photome
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods PhotoMe photome allows Object Injection.This issue affects PhotoMe: from n/a through <= 5.6.11.
Title WordPress PhotoMe theme <= 5.6.11 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themegoods Photome
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:46:33.634Z

Reserved: 2025-12-31T20:11:57.533Z

Link: CVE-2025-69301

cve-icon Vulnrichment

Updated: 2026-02-24T21:00:08.440Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:17.497

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses