Skip to main content

Axiomthemes Sweet Dessert CVE-2025-49073

| EUVD-2025-17117 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2025-06-06 audit@patchstack.com
Deserialization
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:55 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.1.13
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17117
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 13:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Axiomthemes Sweet Dessert allows Object Injection.This issue affects Sweet Dessert: from n/a before 1.1.13.

AnalysisAI

Critical deserialization of untrusted data vulnerability in Axiomthemes Sweet Dessert that enables object injection attacks. The vulnerability affects Sweet Dessert versions before 1.1.13 and allows remote attackers to inject malicious serialized objects without authentication, potentially achieving remote code execution with complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction or privileges, this represents a critical internet-exposed risk.

Technical ContextAI

This vulnerability exploits unsafe deserialization practices (CWE-502: Deserialization of Untrusted Data) in the Sweet Dessert WordPress theme/plugin from Axiomthemes. The affected component improperly processes serialized PHP objects from untrusted sources without validation or filtering. Attackers can craft malicious serialized payloads leveraging PHP magic methods (__wakeup, __toString, __destruct) in gadget chains available within the application's codebase or loaded dependencies to achieve object injection. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates the vulnerability is exploitable over the network with low complexity and no authentication requirements, making it immediately actionable from any internet-connected attacker. Sweet Dessert appears to be a WordPress theme or plugin distributed through wordpress.org or Axiomthemes' marketplace.

RemediationAI

IMMEDIATE: Update Axiomthemes Sweet Dessert to version 1.1.13 or later. Specific remediation steps: (1) Backup WordPress installation and database; (2) Via WordPress admin dashboard: Appearance > Themes (or Plugins) > locate 'Sweet Dessert' > click 'Update' to version 1.1.13+; (3) Via WP-CLI: wp plugin update sweet-dessert (or wp theme update sweet-dessert); (4) Verify update completion via installed version indicator; (5) Review site logs for suspicious POST requests to deserialization handlers (typically wp-admin/admin-ajax.php or REST endpoints). INTERIM MITIGATIONS (if immediate patching impossible): (a) Disable the Sweet Dessert theme/plugin temporarily and revert to default theme; (b) Implement WAF rules to block requests containing serialized PHP objects (patterns: O:[0-9]+:"[a-zA-Z0-9_]+" in POST/GET/headers); (c) Implement WordPress security hardening: disable file editing (DISALLOW_FILE_EDIT), restrict REST API access, enforce strong authentication. Reference: Axiomthemes official repository or wordpress.org plugin/theme update mechanism for patched release notes.

Share

CVE-2025-49073 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy