CVE-2025-39480

CRITICAL
2025-05-23 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 16, 2026 - 14:30 vuln.today
CVE Published
May 23, 2025 - 13:15 nvd
CRITICAL 9.8

Tags

Deserialization

Description

Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer allows Object Injection.This issue affects Car Dealer: from n/a before 1.6.7.

Analysis

A critical deserialization vulnerability in the ThemeMakers Car Dealer WordPress theme allows remote attackers to perform PHP object injection attacks without authentication. The vulnerability affects all versions of Car Dealer prior to 1.6.7 and enables complete system compromise with the ability to execute arbitrary code, steal data, or take over the website. With an EPSS score of 0.15% (35th percentile), while not currently in CISA KEV, the vulnerability presents moderate real-world exploitation risk given its network-accessible attack vector and lack of required authentication.

Technical Context

This vulnerability stems from unsafe deserialization of user-controlled data, classified as CWE-502 (Deserialization of Untrusted Data). The Car Dealer theme, a WordPress automotive dealership theme by ThemeMakers, improperly handles serialized PHP objects without adequate validation. When PHP unserializes malicious data, it can instantiate arbitrary objects and potentially trigger magic methods like __wakeup() or __destruct(), leading to code execution. The vulnerability specifically enables PHP Object Injection attacks where attackers craft malicious serialized payloads to manipulate application logic or achieve remote code execution through gadget chains present in the WordPress environment.

Affected Products

The vulnerability affects ThemeMakers Car Dealer WordPress theme in all versions prior to 1.6.7. This is a commercial WordPress theme designed for automotive dealerships and car sales websites. The vulnerability was discovered and reported by [email protected] through coordinated disclosure. While no specific CPE identifier is provided in the available data, the affected product can be identified as the 'cardealer' theme in WordPress environments. The vendor has released version 1.6.7 which addresses this vulnerability.

Remediation

Immediately upgrade the ThemeMakers Car Dealer theme to version 1.6.7 or later, which contains the fix for this deserialization vulnerability. The patch details are available through Patchstack's vulnerability database at https://patchstack.com/database/wordpress/theme/cardealer/vulnerability/wordpress-car-dealer-1-6-6-php-object-injection-vulnerability. If immediate patching is not possible, consider temporarily disabling the theme or implementing Web Application Firewall (WAF) rules to block serialized PHP data in user inputs. Additionally, review WordPress security best practices and ensure all themes and plugins are kept up-to-date to prevent similar vulnerabilities.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +49
POC: 0

Share

CVE-2025-39480 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy