What is the CVSS score of CVE-2025-31049?

CVE-2025-31049 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Dash WordPress Theme are affected by CVE-2025-31049?

CVE-2025-31049 is a critical remote code execution vulnerability in Dash WordPress theme (versions ≤1.3) that allows unauthenticated attackers to inject arbitrary PHP objects and achieve complete…

How to fix or mitigate CVE-2025-31049?

Within 24 hours: Identify all WordPress installations using Dash theme via plugin/theme scanner and isolate affected sites or disable the theme immediately. Within 7 days: Either upgrade to Dash version 1.4 or later (if released) or replace the theme entirely with a patched alternative; implement Web Application Firewall (WAF) rules blocking PHP deserialization attacks targeting the vulnerable theme endpoints. Within 30 days: Conduct forensic log review (Apache/Nginx access logs, WordPress audit logs via plugin) for exploitation attempts (POST requests with serialized PHP objects); scan all website content for backdoors; reset all WordPress administrator credentials and API keys; perform full malware scan on affected infrastructure.

Dash WordPress Theme CVE-2025-31049

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-05-23 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 20:10 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Generated

Mar 28, 2026 - 18:43 vuln.today

CVE Published

May 23, 2025 - 13:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.

AnalysisAI

Remote unauthenticated attackers can achieve arbitrary PHP object injection in Dash WordPress theme versions up to 1.3 by exploiting unsafe deserialization of user-controlled data. The CVSS 9.8 score reflects network-based attack with no authentication required and complete compromise potential (confidentiality, integrity, availability). Despite the critical severity, EPSS probability is relatively low (0.37%, 59th percentile), suggesting limited observed exploitation attempts. Reported by Patchstack security research team with public vulnerability database entry available. No CISA KEV listing indicates this is not confirmed as actively exploited in the wild, though the straightforward attack vector (AV:N/AC:L/PR:N) makes it attractive for mass WordPress scanning campaigns.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a dangerous class where applications process serialized PHP objects from untrusted sources without validation. WordPress themes commonly use PHP's serialize/unserialize functions for configuration storage, widget data, or session management. When unserialize() processes attacker-controlled input, magic methods like __wakeup(), __destruct(), or __toString() execute automatically during object reconstruction. The Dash theme (by themeton) lacks proper input sanitization on deserialization endpoints, allowing injection of malicious object chains. Available CPE data does not specify exact affected component within the theme, but Patchstack references indicate this is a theme-level vulnerability rather than a specific plugin. PHP object injection serves as a primitive that can chain with existing code (POP chains) to achieve remote code execution, SQL injection, or file manipulation depending on what classes are available in the WordPress installation.

Affected ProductsAI

Dash WordPress theme by themeton, all versions from unspecified starting point through version 1.3 inclusive. CPE identifier not provided in available data. Patchstack vulnerability database entry (reference URLs) indicates this affects the theme component, not a companion plugin. Organizations can verify installation by checking wp-content/themes/dash/ directory and examining style.css header for version number. Vendor advisory or official themeton security bulletin not identified in provided references - primary disclosure appears through Patchstack third-party research platform.

RemediationAI

Upgrade Dash WordPress theme to version 1.4 or later if available (exact patched version not confirmed in provided data - verify with themeton or WordPress theme repository). Access Patchstack database entry at https://patchstack.com/database/wordpress/theme/dash/vulnerability/wordpress-dash-1-3-php-object-injection-vulnerability for latest remediation guidance. If immediate patching is not feasible, implement compensating controls: (1) Disable or remove Dash theme entirely if not actively used, switching to a maintained alternative - this eliminates attack surface completely but requires theme migration effort and potential site redesign; (2) Implement Web Application Firewall (WAF) rules to block requests containing serialized PHP object patterns (look for 'O:' followed by digits in POST/GET parameters) - this may cause false positives if legitimate theme features use serialization, requiring rule tuning; (3) Restrict WordPress admin access to trusted IP ranges via .htaccess or network firewall - reduces exposure but does not prevent exploitation if vulnerability exists in public-facing theme endpoints; (4) Enable PHP disable_functions directive to block dangerous functions like exec, system, passthru which are common POP chain targets - may break legitimate plugins, test thoroughly in staging environment. Note that deserialization vulnerabilities are difficult to mitigate without code-level fixes, making vendor patching the only complete solution.

CVE-2025-31049 vulnerability details – vuln.today

Back

Dash WordPress Theme CVE-2025-31049

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code