What is the CVSS score of CVE-2025-39410?

CVE-2025-39410 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Smart Sections WPBakery Addon are affected by CVE-2025-39410?

Smart Sections Theme Builder WordPress plugin versions through 1.7.8 contain a critical PHP object injection vulnerability allowing unauthenticated remote attackers to execute arbitrary code on…

How to fix or mitigate CVE-2025-39410?

Within 24 hours: Inventory all WordPress instances using Smart Sections Theme Builder and disable or deactivate the plugin immediately as a precautionary measure. Within 7 days: Contact plugin vendor for patch timeline; review web application firewall (WAF) logs for exploitation attempts targeting deserialization vectors. Within 30 days: Once vendor releases a patched version, deploy and test in staging environment before production upgrade to version 1.7.9 or later when available.

Smart Sections WPBakery Addon CVE-2025-39410

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-05-19 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 20:12 vuln.today

v3 (cvss_changed)

Analysis Updated

Apr 28, 2026 - 20:12 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Generated

Mar 28, 2026 - 18:42 vuln.today

CVE Published

May 19, 2025 - 19:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in themegusta Smart Sections Theme Builder - WPBakery Page Builder Addon.This issue affects Smart Sections Theme Builder - WPBakery Page Builder Addon: from n/a through 1.7.8.

AnalysisAI

PHP object injection in Smart Sections Theme Builder (WordPress plugin) through version 1.7.8 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-based exploitation requiring no authentication or user interaction, creating a critical remotely exploitable condition. EPSS score of 0.37% (59th percentile) suggests moderate exploitation probability, though no CISA KEV listing or public exploit code has been identified at time of analysis. Patchstack database identifies this as a PHP Object Injection vulnerability affecting the WPBakery Page Builder addon.

Technical ContextAI

This vulnerability involves CWE-502 (Deserialization of Untrusted Data), commonly known as PHP Object Injection in WordPress contexts. The Smart Sections Theme Builder plugin for WPBakery Page Builder fails to properly validate serialized data before passing it to PHP's unserialize() function. When exploited, attackers can instantiate arbitrary PHP objects and manipulate their properties, triggering magic methods (__wakeup, __destruct, __toString) that exist in the WordPress core, active plugins, or themes. This creates a gadget chain that can lead to remote code execution, SQL injection, or file manipulation depending on available classes in the target environment. WordPress plugins that accept serialized input from user-controlled sources without implementing HMAC verification or allowlisting are particularly vulnerable to this attack class.

Affected ProductsAI

Smart Sections Theme Builder - WPBakery Page Builder Addon (WordPress plugin) by themegusta, all versions through 1.7.8 are confirmed vulnerable per Patchstack database. The plugin extends WPBakery Page Builder functionality for WordPress theme development. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/visucom-smart-sections/vulnerability/wordpress-smart-sections-theme-builder-wpbakery-page-builder-addon-plugin-1-7-8-php-object-injection-vulnerability with plugin slug 'visucom-smart-sections'. No CPE identifier provided in available data. Affects WordPress installations where this plugin is active regardless of WordPress core version.

RemediationAI

Upgrade Smart Sections Theme Builder plugin to version 1.7.9 or later if available (patched version not explicitly confirmed in provided data - verify current version at wordpress.org/plugins or Patchstack advisory). Until patching is confirmed possible, implement these compensating controls: Disable the Smart Sections plugin entirely via WordPress admin dashboard (Plugins > Installed Plugins > Deactivate), noting this will break any theme functionality dependent on the plugin's sections and may require manual theme adjustments. If deactivation is not operationally feasible, implement web application firewall (WAF) rules to block requests containing serialized PHP objects (patterns: 'O:' followed by digit and colon, 'a:' array serialization markers) to the plugin's endpoints, though this may cause false positives for legitimate admin functions. Restrict WordPress admin access to trusted IP addresses via .htaccess or server configuration to limit attack surface, though this does not fully mitigate unauthenticated exploitation vectors. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/visucom-smart-sections/ for updated patch status and detailed remediation guidance. Consider replacing this plugin with actively maintained alternatives for WPBakery Page Builder integration.

CVE-2025-39410 vulnerability details – vuln.today

Back

Smart Sections WPBakery Addon CVE-2025-39410

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code