Description
Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection leading to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data within the Lorem Ipsum | Books & Media Store theme allows an attacker to inject PHP objects. This can result in arbitrary code execution, compromising the confidentiality, integrity, and availability of the affected WordPress site. The weakness is identified as CWE-502.

Affected Systems

The flaw exists in the ThemeREX Lorem Ipsum | Books & Media Store WordPress theme for all releases through version 1.2.11. Any WordPress installation that has this theme active and has not upgraded beyond 1.2.11 is vulnerable. The vendor is ThemeREX; the product name is Lorem Ipsum | Books & Media Store.

Risk and Exploitability

The CVSS score of 9.8 marks it as critical, while the EPSS score of less than 1% indicates a low but nonzero chance of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation in the wild yet. Attackers can likely exploit the issue remotely by submitting crafted data to the theme’s deserialization logic, possibly via form submissions or upload mechanisms. The absence of a public exploit does not mitigate the high-risk nature implied by the CVSS score.

Generated by OpenCVE AI on April 27, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lorem Ipsum | Books & Media Store theme to a version newer than 1.2.11, as newer releases resolve the deserialization flaw.
  • If an immediate upgrade is not possible, deactivate or remove the theme until a fix is applied, and verify that no residual settings or files remain.
  • Scan the WordPress installation for any unauthorized files or code injected via the theme, and review audit logs for suspicious activity.
  • Apply general WordPress hardening measures such as limiting file permissions, disabling file editing from the admin panel, and ensuring that the theme only processes trusted data.

Generated by OpenCVE AI on April 27, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.6. Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.
Title WordPress Lorem Ipsum | Books & Media Store theme <= 1.2.6 - PHP Object Injection vulnerability WordPress Lorem Ipsum | Books & Media Store theme <= 1.2.11 - PHP Object Injection vulnerability

Wed, 25 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex lorem Ipsum | Books & Media Store
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex lorem Ipsum | Books & Media Store
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.6.
Title WordPress Lorem Ipsum | Books & Media Store theme <= 1.2.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Lorem Ipsum | Books & Media Store
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T21:00:51.555Z

Reserved: 2025-12-31T20:13:23.067Z

Link: CVE-2025-69405

cve-icon Vulnrichment

Updated: 2026-02-24T21:00:26.336Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:26.417

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses