Description
Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through < 4.0.1.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution (inferred)
Action: Patch Immediately
AI Analysis

Impact

The Sweet Date theme for WordPress contains a deserialization of untrusted data flaw that allows attackers to inject arbitrary PHP objects. This vulnerability corresponds to CWE‑502 and can lead to remote code execution (inferred from the nature of PHP object injection), enabling attackers to compromise the confidentiality, integrity, and availability of the affected website.

Affected Systems

Any WordPress installation that uses the SeventhQueen Sweet Date theme with a version earlier than 4.0.1, spanning from the theme’s initial release through the last patched (4.0.1).

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of < 1% implies a very low current exploitation probability. The likely attack vector is remote (inferred), requiring an attacker to craft a serialized payload and send it via the theme’s web interface or any endpoint that deserializes user input; if the vulnerability is triggered, it is inferred that the attacker could execute arbitrary code on the web server. The issue is not listed in CISA’s KEV catalog, so it has not been confirmed as a known exploited vulnerability yet.

Generated by OpenCVE AI on April 18, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Sweet Date theme update (v4.0.1 or newer) to eliminate the deserialization flaw.
  • If the theme cannot be updated immediately, temporarily deactivate it or switch to a different theme to prevent exploitation.
  • Validate or sanitize any data before it reaches the theme’s deserializer; consider implementing a safe serialization filter or using WordPress provided functions that enforce safe deserialization per CWE‑502 guidelines.
  • Keep WordPress core, plugins, and other themes up to date, and use firewall rules or monitoring to detect suspicious serialized payloads.

Generated by OpenCVE AI on April 18, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Seventhqueen
Seventhqueen sweet Date
Wordpress
Wordpress wordpress
Vendors & Products Seventhqueen
Seventhqueen sweet Date
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through < 4.0.1.
Title WordPress Sweet Date theme < 4.0.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Seventhqueen Sweet Date
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:16.391Z

Reserved: 2026-02-19T09:52:28.127Z

Link: CVE-2026-27417

cve-icon Vulnrichment

Updated: 2026-03-06T18:49:10.099Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:29.223

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-27417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses