CVE-2025-24779

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

Tags

WordPress PHP Deserialization

Description

Deserialization of Untrusted Data vulnerability in NooTheme Yogi yogi allows Object Injection.This issue affects Yogi: from n/a through < 2.9.3.

Analysis

Object injection via unsafe deserialization in NooTheme Yogi WordPress theme versions before 2.9.3 allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or data manipulation. The vulnerability affects all Yogi theme installations below version 2.9.3 and carries a low exploitation probability (EPSS 0.16%, percentile 36%), with no confirmed active exploitation at time of analysis.

Technical Context

The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical weakness in PHP applications where unserialize() or similar functions process untrusted input without validation. In WordPress themes like Yogi, this typically occurs when theme options, metadata, or request parameters containing serialized PHP objects are deserialized without proper sanitization. An attacker who can control serialized input (often through admin panels, API endpoints, or database manipulation) can craft malicious serialized payloads that instantiate arbitrary classes. If the theme or WordPress environment contains gadget chains (exploitable class constructors/destructors), this can escalate to arbitrary code execution. The NooTheme Yogi theme is a popular WordPress theme (CPE: wordpress_themes, product yogi), making this vulnerability potentially affecting thousands of installations.

Affected Products

The vulnerability affects NooTheme Yogi WordPress theme in all versions from the earliest release through version 2.9.2 (inclusive). The affected product is identified as Yogi theme distributed through WordPress.org and third-party repositories. The vulnerability is resolved in Yogi version 2.9.3 and later.

Remediation

Update NooTheme Yogi theme to version 2.9.3 or later immediately. Users should navigate to WordPress Dashboard > Appearance > Themes, locate Yogi, and click Update if available. If automatic updates are not enabled, download version 2.9.3 directly from the WordPress.org theme directory or the vendor's official site. After updating, clear any cached theme data and verify theme functionality. As a temporary workaround pending patch deployment, restrict admin panel access to trusted users only and review WordPress user roles to ensure minimal privileges are assigned. Monitor theme options and serialized data in the database for suspicious object instantiation patterns. Reference the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/yogi/vulnerability/wordpress-yogi-2-9-0-php-object-injection-vulnerability for detailed technical guidance.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +0
POC: 0

Share

CVE-2025-24779 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy