Skip to main content

PIMP Creative MultiPurpose CVE-2025-31398

| EUVD-2025-17499 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2025-06-09 audit@patchstack.com
Deserialization
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 20:05 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17499
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7.

AnalysisAI

Remote code execution in PIMP Creative MultiPurpose WordPress theme through version 1.7 allows unauthenticated attackers to execute arbitrary PHP code via insecure deserialization of user-controlled data. The CVSS 9.8 score reflects network-accessible exploitation with no authentication or user interaction required. Patchstack identified this vulnerability, though EPSS probability is low (0.14%, 34th percentile), suggesting no public exploit identified at time of analysis and limited observed exploitation attempts.

Technical ContextAI

This vulnerability stems from unsafe deserialization (CWE-502) in a WordPress theme. PHP's unserialize() function reconstructs objects from serialized strings, allowing attackers to instantiate arbitrary classes and trigger magic methods (__wakeup, __destruct, __toString) with attacker-controlled properties. WordPress ecosystems contain numerous gadget chains in popular plugins and core components that can be chained to achieve code execution. The PIMP theme appears to deserialize user-supplied data without proper validation or integrity checks, creating an object injection vector. When exploited, attackers can leverage existing PHP classes to write files, execute system commands, or manipulate application state. This class of vulnerability is particularly dangerous in WordPress environments due to the abundance of exploitable gadget chains across the plugin ecosystem.

RemediationAI

Upgrade to PIMP Creative MultiPurpose theme version 1.8 or later if available; consult Patchstack advisory at https://patchstack.com/database/wordpress/theme/pimp/vulnerability/wordpress-pimp-creative-multipurpose-1-7-deserialization-of-untrusted-data-vulnerability for confirmed patched version. If no patch is available or immediate upgrade is not feasible, implement compensating controls: disable or remove the PIMP theme entirely and switch to an alternate WordPress theme until patched version is released; deploy a Web Application Firewall (WAF) with rules to block serialized PHP objects in POST/GET parameters (regex matching 'O:' patterns in requests), though this may break legitimate theme functionality that uses serialization; restrict wp-admin access to trusted IP addresses via .htaccess or firewall rules to limit attack surface, though this does not address unauthenticated vectors if present in front-end theme code. Monitor WordPress access logs for unusual POST requests with serialized data patterns. Note that WAF blocking of serialization can interfere with WordPress core features like widgets and transients, requiring testing before production deployment.

Share

CVE-2025-31398 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy