Description
Deserialization of Untrusted Data vulnerability in ThemeREX Tennis Club tennis-sportclub allows Object Injection.This issue affects Tennis Club: from n/a through <= 1.2.3.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: PHP Object Injection
Action: Apply Patch
AI Analysis

Impact

Deserialization of untrusted data in the WordPress Tennis Club theme enables PHP Object Injection, a vulnerability that can allow an attacker to execute arbitrary code, modify or delete data, and potentially take full control of the affected server. This weakness corresponds to CWE‑502 and carries a CVSS score of 9.8, indicating critical severity. The flaw arises when the theme processes serialized input without proper validation, giving an attacker the opportunity to inject malicious objects.

Affected Systems

The vulnerability affects ThemeREX's Tennis Club WordPress theme versions up to and including 1.2.3. Websites that have installed this theme and have not applied a newer patch are at risk.

Risk and Exploitability

The attack vector is likely through any input path provided by the theme that accepts serialized data, such as importing settings or using the theme’s widget options. Exploit requires crafting a malicious serialized payload which the theme then blindly deserializes. Although the EPSS score is below 1 % and the issue is not listed in the CISA KEV catalog, the high CVSS score and the nature of object injection make it a high‑risk vulnerability for exposed websites, warranting urgent attention.

Generated by OpenCVE AI on April 15, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tennis Club theme to version 1.2.4 or later, if a patch is available, or replace the theme with a secure alternative.
  • If an upgrade is not possible, deactivate or uninstall the theme and any plugins that rely on it until a fix can be applied.
  • Restrict or sanitize any inputs that trigger deserialization, such as disabling import options, and ensure that only trusted users can access these features.

Generated by OpenCVE AI on April 15, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex tennis Club
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex tennis Club
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Tennis Club tennis-sportclub allows Object Injection.This issue affects Tennis Club: from n/a through <= 1.2.3.
Title WordPress Tennis Club theme <= 1.2.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Tennis Club
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:16.823Z

Reserved: 2026-02-19T09:52:39.681Z

Link: CVE-2026-27437

cve-icon Vulnrichment

Updated: 2026-03-06T18:47:12.087Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:29.497

Modified: 2026-03-06T19:16:17.713

Link: CVE-2026-27437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses