Description
Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via PHP Object Injection
Action: Apply Patch
AI Analysis

Impact

The WordPress Pets Club theme contains a deserialization of untrusted data that allows PHP Object Injection. An attacker can send a crafted payload that is interpreted by the theme, enabling the execution of arbitrary code on the server. This vulnerability is classified as CWE-502 and can compromise confidentiality, integrity, and availability of the affected site.

Affected Systems

ThemeREX Pets Club theme, versions up through 2.3. Any WordPress installation that has installed this theme in those versions is susceptible. The issue resides in the theme’s code, not the core WordPress software.

Risk and Exploitability

The CVSS score is 9.8, marking it as critical, while the EPSS score of less than 1% indicates a low current probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, so no confirmed active exploitation has been recorded. The likely attack vector is via a crafted HTTP request that reaches the vulnerable deserialization routine in the theme; this inference is based on the nature of PHP Object Injection.

Generated by OpenCVE AI on April 16, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pets Club theme to a version higher than 2.3 that includes the deserialization fix.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the Pets Club theme to remove the vulnerable code path.
  • Implement a temporary protective measure by restricting or blocking HTTP requests that carry serialized data—e.g., through ModSecurity WAF rules or by setting stricter file permissions on theme files that handle deserialization.

Generated by OpenCVE AI on April 16, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex pets Club
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex pets Club
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.
Title WordPress Pets Club theme <= 2.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Pets Club
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T17:15:10.127Z

Reserved: 2026-01-07T13:43:49.724Z

Link: CVE-2026-22453

cve-icon Vulnrichment

Updated: 2026-03-09T16:11:50.974Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:19.580

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses