EUVD-2025-17117CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Deserialization of Untrusted Data vulnerability in Axiomthemes Sweet Dessert allows Object Injection.This issue affects Sweet Dessert: from n/a before 1.1.13.
Analysis
Critical deserialization of untrusted data vulnerability in Axiomthemes Sweet Dessert that enables object injection attacks. The vulnerability affects Sweet Dessert versions before 1.1.13 and allows remote attackers to inject malicious serialized objects without authentication, potentially achieving remote code execution with complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction or privileges, this represents a critical internet-exposed risk.
Technical Context
This vulnerability exploits unsafe deserialization practices (CWE-502: Deserialization of Untrusted Data) in the Sweet Dessert WordPress theme/plugin from Axiomthemes. The affected component improperly processes serialized PHP objects from untrusted sources without validation or filtering. Attackers can craft malicious serialized payloads leveraging PHP magic methods (__wakeup, __toString, __destruct) in gadget chains available within the application's codebase or loaded dependencies to achieve object injection. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates the vulnerability is exploitable over the network with low complexity and no authentication requirements, making it immediately actionable from any internet-connected attacker. Sweet Dessert appears to be a WordPress theme or plugin distributed through wordpress.org or Axiomthemes' marketplace.
Affected Products
Axiomthemes Sweet Dessert: versions before 1.1.13 (specific affected versions not enumerated in provided data, but likely includes 1.1.12 and all prior releases). CPE would be approximately: cpe:2.3:a:axiomthemes:sweet_dessert:*:*:*:*:*:wordpress:*:* with version constraint <1.1.13. Note: specific CPE string not provided in input; vendor should confirm exact product type (theme vs. plugin) and WordPress/WooCommerce dependencies. Users running Sweet Dessert on WordPress installations (both self-hosted and managed) are affected. No version-specific bypass information or special configurations limiting exposure are evident.
Remediation
IMMEDIATE: Update Axiomthemes Sweet Dessert to version 1.1.13 or later. Specific remediation steps: (1) Backup WordPress installation and database; (2) Via WordPress admin dashboard: Appearance > Themes (or Plugins) > locate 'Sweet Dessert' > click 'Update' to version 1.1.13+; (3) Via WP-CLI: wp plugin update sweet-dessert (or wp theme update sweet-dessert); (4) Verify update completion via installed version indicator; (5) Review site logs for suspicious POST requests to deserialization handlers (typically wp-admin/admin-ajax.php or REST endpoints). INTERIM MITIGATIONS (if immediate patching impossible): (a) Disable the Sweet Dessert theme/plugin temporarily and revert to default theme; (b) Implement WAF rules to block requests containing serialized PHP objects (patterns: O:[0-9]+:"[a-zA-Z0-9_]+" in POST/GET/headers); (c) Implement WordPress security hardening: disable file editing (DISALLOW_FILE_EDIT), restrict REST API access, enforce strong authentication. Reference: Axiomthemes official repository or wordpress.org plugin/theme update mechanism for patched release notes.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today