WeMusic Theme CVE-2025-53586
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in NooTheme WeMusic noo-wemusic allows Object Injection.This issue affects WeMusic: from n/a through <= 1.9.1.
AnalysisAI
PHP object injection in NooTheme WeMusic WordPress theme version ≤1.9.1 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic through unsafe deserialization of untrusted data. Reported by Patchstack audit team. EPSS exploitation probability is low (0.10%, 27th percentile), indicating limited observed attacker interest despite the critical CVSS 8.8 rating. No active exploitation confirmed by CISA KEV at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a class of flaws where applications deserialize user-controlled input without proper validation. In PHP applications like WordPress themes, unsafe use of functions such as unserialize() on attacker-controllable data allows injection of malicious serialized objects. When deserialized, these objects can trigger magic methods (__wakeup, __destruct, __toString) in existing classes, enabling property-oriented programming (POP) chain attacks. The WeMusic theme, a WordPress music and artist-focused theme by NooTheme, processes serialized data from authenticated users without sufficient sanitization, creating an entry point for object injection attacks against WordPress installations using this theme.
Affected ProductsAI
NooTheme WeMusic WordPress theme versions up to and including 1.9.1 are confirmed vulnerable. The vulnerability affects WordPress installations that have installed this premium music and artist theme. No CPE identifier was provided in available data. According to the Patchstack database reference (https://patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability), the issue is specific to the WeMusic theme product line from NooTheme.
RemediationAI
Upgrade the WeMusic theme to a version newer than 1.9.1 if available from NooTheme. Contact the vendor directly through their official channels or WordPress theme marketplace to verify the availability of a security-patched release addressing CVE-2025-53586. Consult the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability for vendor patch status and specific remediation guidance. If no patched version is available, implement compensating controls: restrict WordPress user registration to trusted administrators only, audit existing low-privilege user accounts for legitimacy, implement Web Application Firewall (WAF) rules to inspect and block serialized PHP object patterns in POST requests (note: may cause false positives with legitimate theme functionality), and monitor WordPress logs for unusual deserialization activity or privilege escalation attempts. Consider migrating to an actively maintained alternative WordPress music theme if vendor support is discontinued. Note that disabling the theme entirely eliminates risk but breaks site functionality dependent on WeMusic features.
Share
External POC / Exploit Code
Leaving vuln.today