What is the CVSS score of CVE-2025-31430?

CVE-2025-31430 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of The Business are affected by CVE-2025-31430?

CVE-2025-31430 is a critical PHP object injection vulnerability in 'The Business' WordPress theme (versions ≤1.6.1) that allows unauthenticated remote attackers to execute arbitrary code or disrupt…

How to fix or mitigate CVE-2025-31430?

Within 24 hours: Identify all WordPress installations using 'The Business' theme via automated scanning or manual CMS audit; isolate affected sites from production if patching is not immediately feasible. Within 7 days: Update 'The Business' theme to version 1.6.2 or later if available from the vendor; if no patch is released, disable or replace the theme entirely. Within 30 days: Conduct forensic review of access logs for compromised sites dated before patching; reset all WordPress user credentials and review for unauthorized administrator accounts; implement Web Application Firewall (WAF) rules to block known exploitation patterns.

The Business CVE-2025-31430

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-05-23 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 20:09 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Generated

Mar 28, 2026 - 18:43 vuln.today

CVE Published

May 23, 2025 - 13:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in themeton The Business allows Object Injection. This issue affects The Business: from n/a through 1.6.1.

AnalysisAI

PHP Object Injection in 'The Business' WordPress theme through version 1.6.1 allows remote unauthenticated attackers to execute arbitrary code, modify data, or cause denial of service via deserialization of untrusted data. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), exploitation requires no authentication or user interaction. EPSS score of 0.37% suggests low observed exploitation probability despite critical severity, though no public exploit code or CISA KEV listing exists at time of analysis. Patchstack cataloged this vulnerability, indicating security researcher attention to WordPress theme supply chain risks.

Technical ContextAI

This vulnerability stems from unsafe PHP deserialization (CWE-502) in 'The Business' WordPress theme by themeton. PHP's unserialize() function reconstructs objects from serialized strings without validation, allowing attackers to instantiate arbitrary classes and invoke magic methods (__wakeup, __destruct, __toString) with controlled properties. In WordPress themes, this commonly occurs when user-controlled data (HTTP parameters, cookies, post meta) is passed directly to unserialize(). The attack leverages existing classes in WordPress core, plugins, or the theme itself to build gadget chains that achieve code execution, file manipulation, or SQL injection. The CVSS vector indicates network-accessible exploitation with low complexity, meaning vulnerable endpoints accept untrusted serialized data without requiring authentication, making automated scanning and exploitation trivial once attack surface is identified.

Affected ProductsAI

WordPress theme 'The Business' by themeton, all versions through 1.6.1 inclusive, are vulnerable to PHP object injection via deserialization of untrusted data. Patchstack advisory available at https://patchstack.com/database/wordpress/theme/nrgbusiness/vulnerability/wordpress-the-business-1-6-1-php-object-injection-vulnerability provides technical details. No CPE identifier was provided in vulnerability data, complicating automated asset correlation. Users should verify theme installation via WordPress admin dashboard under Appearance > Themes or check for 'nrgbusiness' directory in wp-content/themes/.

RemediationAI

Upgrade 'The Business' theme to version 1.6.2 or later if available from themeton vendor, consulting https://patchstack.com/database/wordpress/theme/nrgbusiness/vulnerability/wordpress-the-business-1-6-1-php-object-injection-vulnerability for patch confirmation and testing guidance. If no patched version exists or vendor has abandoned the theme, immediately deactivate and replace with an actively maintained alternative theme, as PHP object injection vulnerabilities cannot be effectively mitigated through configuration changes or WAF rules due to the nature of deserialization exploits. As interim risk reduction if theme replacement requires business approval delays, restrict wp-admin access to trusted IP ranges via .htaccess or firewall rules to limit attack surface, though this does not prevent exploitation of front-end deserialization vectors. Deploy WordPress security plugins like Wordfence or Sucuri with virtual patching capabilities, though effectiveness against deserialization attacks is limited. Monitor WordPress access logs and PHP error logs for suspicious POST parameters containing serialized data patterns (a:, O:, s:) targeting theme endpoints.

CVE-2025-31430 vulnerability details – vuln.today

Back

The Business CVE-2025-31430

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code