Description
Deserialization of Untrusted Data vulnerability in designthemes Dental Clinic dental allows Object Injection.This issue affects Dental Clinic: from n/a through <= 3.7.
Published: 2026-03-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the designthemes Dental Clinic WordPress theme (≤ 3.7) permits PHP Object Injection. An attacker can supply crafted input that causes PHP to instantiate arbitrary objects, potentially leading to code execution, data disclosure, or privilege escalation. The weakness is classified as CWE‑502, indicating that maliciously crafted serialized data is handled without proper validation.

Affected Systems

Versions of the Dental Clinic theme supplied by designthemes with build numbers up to and including 3.7 are affected. The vulnerability applies whenever the theme processes user-supplied serialized data, such as through theme settings or AJAX callbacks in the front‑end. No other products or versions are listed as impacted.

Risk and Exploitability

With a CVSS score of 8.8 the issue is considered high severity. The EPSS score of < 1 % indicates that automated exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves inbound HTTP requests that contain the serialized payload, typically through the theme’s configuration interface or exposed REST endpoints. Successful exploitation would give an attacker remote code execution privileges on the WordPress installation, affecting confidentiality, integrity, and availability of the site.

Generated by OpenCVE AI on April 16, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dental Clinic theme to a version newer than 3.7, if an updated release is available from designthemes.
  • If an update is not feasible, deactivate or remove the Dental Clinic theme to eliminate the vulnerable code path.
  • Ensure that the WordPress installation and its files have strict permissions (e.g., 755 for directories, 644 for files) and that the theme directory is not writable by users who should not deploy code.
  • Keep the core WordPress software, all other plugins, and the theme configuration up to date, and monitor admin logs for anomalous POST requests that contain serialized data.

Generated by OpenCVE AI on April 16, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes dental Clinic
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes dental Clinic
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in designthemes Dental Clinic dental allows Object Injection.This issue affects Dental Clinic: from n/a through <= 3.7.
Title WordPress Dental Clinic theme <= 3.7 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Designthemes Dental Clinic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:58.678Z

Reserved: 2026-01-07T13:44:06.689Z

Link: CVE-2026-22473

cve-icon Vulnrichment

Updated: 2026-03-09T15:24:15.009Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:20.907

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses