Entrepreneur WordPress Theme CVE-2025-69130
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N), low-complexity deserialization payload (AC:L), Subscriber account required (PR:L), no user interaction, and object injection typically yields full CIA impact via gadget chains.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions.
AnalysisAI
PHP Object Injection in the Entrepreneur - Booking for Small Businesses WordPress theme through version 3.1.3 allows authenticated subscriber-level users to trigger unsafe deserialization, potentially leading to full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Technical ContextAI
The vulnerability is a PHP Object Injection issue (CWE-502: Deserialization of Untrusted Data) in the Themovation 'Entrepreneur - Booking for Small Businesses' WordPress theme, identified by CPE cpe:2.3:a:themovation:entrepreneur_-_booking_for_small_businesses_wordpress_theme. PHP Object Injection occurs when user-controllable input reaches PHP's unserialize() function, allowing an attacker to instantiate arbitrary classes and trigger their magic methods (__wakeup, __destruct, __toString). In WordPress ecosystems, such flaws are commonly chained with gadget chains from WordPress core or other installed plugins/themes (POP chains) to achieve file write, SQL injection, or remote code execution outcomes.
RemediationAI
Patch status from the provided data is ambiguous - no exact fix version is enumerated, so treat this as: patch availability should be confirmed via the Patchstack advisory at https://patchstack.com/database/wordpress/theme/entrepreneurx/vulnerability/wordpress-entrepreneur-booking-for-small-businesses-wordpress-theme-theme-3-1-3-php-object-injection-vulnerability and the Themovation vendor page; upgrade to any release later than 3.1.3 once available. As compensating controls, disable open user registration in WordPress Settings → General (trade-off: blocks self-service signup flows), restrict the Subscriber role from reaching the vulnerable endpoint via a WAF rule or mu-plugin gate, and deploy a virtual patch through Patchstack or Wordfence which can block known object-injection payloads (trade-off: may produce false positives on legitimate serialized cookies/meta). Until patched, consider deactivating the Entrepreneur theme and switching to an unaffected theme if business operations allow.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today