CVE-2025-31422

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

Tags

WordPress PHP Deserialization

Description

Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme visual-arts allows Object Injection.This issue affects Visual Art | Gallery WordPress Theme: from n/a through <= 2.4.

Analysis

Object injection via unsafe deserialization in designthemes Visual Art | Gallery WordPress Theme (versions 2.4 and earlier) allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. No CVSS vector is available, and exploitation probability is low at 0.16 EPSS percentile 36%, with no confirmed public exploit code or active exploitation reported at time of analysis.

Technical Context

The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a class flaw in which user-supplied input is passed to PHP's unserialize() function or equivalent without validation. This occurs in the Visual Art | Gallery WordPress Theme, allowing an attacker to craft serialized PHP objects that, when deserialized, instantiate gadget chain classes already present in the WordPress/plugin ecosystem. The theme fails to sanitize or validate serialized data before processing, creating an object injection vector. WordPress plugins and core libraries frequently contain magic methods (__wakeup, __destruct, __toString) that can be chained to achieve arbitrary code execution if accessible gadget chains exist.

Affected Products

The designthemes Visual Art | Gallery WordPress Theme (CPE: implicitly wp:designthemes:visual-art-gallery-wordpress-theme) is affected in all versions from initial release through version 2.4 inclusive. This is a free or premium WordPress theme distributed via the WordPress.org theme repository or third-party marketplaces. All installations running version 2.4 or earlier are at risk.

Remediation

Update the Visual Art | Gallery WordPress Theme to version 2.5 or later (patch version not explicitly stated in references, but vendor advisory from Patchstack indicates a fix is available). Access the WordPress dashboard, navigate to Appearance > Themes, locate Visual Art | Gallery, and click Update if available. Alternatively, download the patched version from the official source (designthemes website or WordPress.org theme repository) and re-upload manually. Until patching is possible, ensure WordPress security hardening practices are in place, including limiting administrative access and disabling direct object deserialization where possible through code review. For detailed remediation guidance, refer to the Patchstack advisory: https://patchstack.com/database/Wordpress/Theme/visual-arts/vulnerability/wordpress-visual-art-gallery-wordpress-theme-2-4-php-object-injection-vulnerability?_s_id=cve

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +0
POC: 0

Share

CVE-2025-31422 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy