Description
Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the Prestige theme allows object injection, which can be leveraged to create arbitrary PHP objects that execute attacker‑supplied code. This weakness directly permits full control over the server process, compromising confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The vulnerability impacts the Jthemes Prestige theme on WordPress installations running any version prior to 1.4.1. It does not affect later releases or other themes.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. While the EPSS score is currently less than 1 %, indicating a low probability of widespread exploitation, the flaw is not yet listed in the CISA KEV catalog, meaning it has not yet been widely compromised. Based on the description, it is inferred that an attacker can likely reach the deserialization point via a crafted HTTP request to the theme’s endpoints, but no specific deployment scenario is documented. The lack of a mitigation in the criticality, combined with the CVSS, warrants urgent attention.

Generated by OpenCVE AI on April 28, 2026 at 09:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Prestige theme to version 1.4.1 or later to eliminate the unsafe deserialization endpoint.
  • If an upgrade cannot be performed immediately, disable the theme or switch to a different, non‑vulnerable theme so the deserialization code cannot be executed.
  • Audit the WordPress site for additional instances of PHP unserialize or other unsafe deserialization patterns and apply proper input validation or removal of such code.

Generated by OpenCVE AI on April 28, 2026 at 09:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Jthemes
Jthemes prestige
Wordpress
Wordpress wordpress
Vendors & Products Jthemes
Jthemes prestige
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1.
Title WordPress Prestige theme < 1.4.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Jthemes Prestige
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:53:08.499Z

Reserved: 2025-12-31T20:12:18.800Z

Link: CVE-2025-69329

cve-icon Vulnrichment

Updated: 2026-02-24T18:45:53.988Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:20.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:45:28Z

Weaknesses