What is the CVSS score of CVE-2025-31396?

CVE-2025-31396 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of FLAP WordPress Theme are affected by CVE-2025-31396?

FLAP Business WordPress Theme versions through 1.5 contain a critical remote code execution vulnerability affecting any unauthenticated user, potentially compromising entire WordPress installations.

How to fix or mitigate CVE-2025-31396?

Within 24 hours: Identify all WordPress installations using FLAP Business Theme through version 1.5 via admin dashboard or security scanner; disable the theme immediately and switch to alternative theme. Within 7 days: Check vendor (Flap Themes) advisory for patched version availability; if available, upgrade to latest patched release and verify functionality. Within 30 days: Conduct full WordPress security audit including user access logs for the vulnerability window; implement Web Application Firewall (WAF) rules to block malicious deserialization patterns as interim protection until vendor patch confirmation.

FLAP WordPress Theme CVE-2025-31396

EUVD-2025-17498 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-09 audit@patchstack.com

Deserialization WordPress

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 20:05 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17498

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

CVE Published

Jun 09, 2025 - 16:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.

AnalysisAI

PHP object injection in FLAP Business WordPress Theme versions through 1.5 allows unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-supplied data. The CVSS 9.8 critical rating reflects network-based exploitation requiring no privileges or user interaction, enabling full system compromise. While EPSS score of 0.14% suggests low immediate exploitation probability, the availability of technical details in the Patchstack database increases weaponization risk for WordPress installations running this theme.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a dangerous class where applications accept serialized PHP objects from untrusted sources without proper validation. In WordPress themes, this commonly occurs when user input passed via POST/GET parameters, cookies, or form data is processed through PHP's unserialize() function. The FLAP Business WordPress Theme processes untrusted serialized data, allowing attackers to craft malicious PHP objects that execute code during the deserialization process. Object injection vulnerabilities in PHP can leverage magic methods (__wakeup, __destruct, __toString) and existing application classes to achieve remote code execution, file manipulation, SQL injection, or authentication bypass. WordPress themes with this flaw are particularly dangerous because they run with the web server's privileges and can affect the entire WordPress installation, not just the theme itself.

RemediationAI

Upgrade FLAP Business WordPress Theme to version 1.6 or later if available through the Themeton vendor or ThemeForest/Envato marketplace. Consult the theme's official support channels or purchase dashboard for patch availability, as patch version is not independently confirmed from available data. If no patched version is released, implement these compensating controls with noted trade-offs: disable the FLAP theme entirely and switch to a maintained alternative (eliminates risk but requires site redesign); restrict wp-admin access to trusted IP addresses only via .htaccess or firewall rules (reduces attack surface but limits administrative flexibility); deploy a web application firewall with rules to detect unserialize() patterns in HTTP requests (adds defense layer but requires WAF expertise and may generate false positives). Monitor WordPress security logs for suspicious POST/GET parameter activity containing serialized PHP object patterns (a:, O:, s:). Reference the Patchstack advisory for specific affected code paths that may inform custom input validation patches.

More from same product – last 7 days

CVE-2026-8157 HIGH This Week POC

8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH This Week POC

7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp

CVE-2026-6858 HIGH This Week POC

7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

CVE-2025-31396 vulnerability details – vuln.today

Back

FLAP WordPress Theme CVE-2025-31396

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code