What is the CVSS score of CVE-2025-31927?

CVE-2025-31927 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Acerola WordPress Theme are affected by CVE-2025-31927?

The Acerola WordPress theme (versions ≤1.6.5) contains a critical PHP object injection vulnerability allowing unauthenticated remote code execution with a 9.8 CVSS score.

How to fix or mitigate CVE-2025-31927?

Within 24 hours: Identify all WordPress instances using Acerola theme via admin dashboard or security scanner; disable the theme immediately and switch to an alternative theme. Within 7 days: Contact Acerola developers for patch availability timeline; if no patch emerges, replace the theme entirely with a maintained alternative and audit for unauthorized access logs from the vulnerability disclosure date forward. Within 30 days: Conduct full website security assessment including malware scan, user privilege audit, and code review of any custom modifications to the theme.

Acerola WordPress Theme CVE-2025-31927

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-05-23 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 20:07 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Generated

Mar 28, 2026 - 18:43 vuln.today

CVE Published

May 23, 2025 - 13:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.

AnalysisAI

PHP object injection in Acerola WordPress theme versions up to 1.6.5 enables remote unauthenticated attackers to execute arbitrary code, manipulate application data, or cause denial of service through deserialization of untrusted data. CVSS 9.8 reflects worst-case impact (network vector, no authentication required), though EPSS score of 0.37% (59th percentile) suggests limited active targeting to date. Reported by Patchstack audit team with vulnerability details published in their database, indicating researcher-identified rather than in-the-wild discovery. No CISA KEV listing confirms exploitation remains theoretical or limited in scope.

Technical ContextAI

This vulnerability stems from unsafe PHP deserialization (CWE-502), where user-controlled data is passed to unserialize() without validation. Acerola is a WordPress theme developed by themeton, and the affected component likely involves AJAX handlers, theme options processing, or custom REST API endpoints that accept serialized objects. PHP object injection occurs when attackers craft malicious serialized strings containing objects with magic methods (__wakeup, __destruct, __toString) that trigger arbitrary code execution during deserialization. The theme's architecture allows network-accessible entry points to reach vulnerable unserialize() calls without authentication barriers, making this exploitable by any remote attacker who can identify the injection point. WordPress themes frequently introduce such vulnerabilities through custom functionality that improperly handles POST/GET parameters or cookie data.

Affected ProductsAI

WordPress theme 'Acerola' developed by themeton, versions from earliest release through 1.6.5 confirmed vulnerable per Patchstack advisory (reference: https://patchstack.com/database/wordpress/theme/acerola/vulnerability/wordpress-acerola-1-6-5-php-object-injection-vulnerability). CPE data not available in NVD records at time of analysis. All WordPress installations running Acerola theme version 1.6.5 or earlier are affected regardless of WordPress core version. Theme is typically installed on WordPress sites requiring specific design/layout features provided by themeton's commercial or free theme offerings.

RemediationAI

Immediately upgrade Acerola theme to version 1.6.6 or later if available from themeton (theme developer). Verify patch status directly with vendor at themeton's official distribution channels, as Patchstack advisory confirms vulnerability through 1.6.5 but does not explicitly document fixed release version. If patched version is unavailable or upgrade path is blocked, implement these compensating controls: (1) Disable or restrict access to theme's AJAX endpoints and custom handlers that process serialized data-review wp-admin/admin-ajax.php actions registered by Acerola and restrict via .htaccess or firewall rules to authenticated administrator sessions only (trade-off: may break theme functionality for front-end users). (2) Deploy Web Application Firewall (WAF) rules to detect and block serialized PHP objects in HTTP requests-regex patterns matching 'O:[0-9]+:' or 'a:[0-9]+:{' in POST/GET/Cookie parameters (trade-off: potential false positives on legitimate serialized WordPress data). (3) If theme features are non-critical, deactivate Acerola and migrate to alternative WordPress theme with active security maintenance. Full advisory details at Patchstack database: https://patchstack.com/database/wordpress/theme/acerola/vulnerability/wordpress-acerola-1-6-5-php-object-injection-vulnerability.

CVE-2025-31927 vulnerability details – vuln.today

Back

Acerola WordPress Theme CVE-2025-31927

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code