Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network and unauthenticated per the sink, but rated AC:H because reliable impact requires locating a suitable POP gadget chain; full C/I/A when a chain is reached.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
AnalysisAI
PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The core condition is that attacker-controlled input reaches an unsafe deserialization (unserialize) sink within the rt18-extensions plugin on a site running RT-Theme 18 | Extensions version 2.5 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially conflicting and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker crafts a serialized PHP object payload targeting a gadget chain available in the WordPress installation and submits it to the vulnerable rt18-extensions input over the network (AV:N/AC:L/PR:N/UI:N). When the plugin deserializes the data, the injected object's magic methods fire, potentially leading to arbitrary file write, SQL manipulation, or code execution and full site takeover. … |
| Remediation | No vendor-released patched version is identified in the available data - the affected range is 'through <= 2.5' with no fixed version stated, so administrators should monitor the vendor (stmcan) and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/rt18-extensions/vulnerability/wordpress-rt-theme-18-extensions-plugin-2-5-php-object-injection-vulnerability) for a release above 2.5 and update as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: disable the rt18-extensions plugin on all WordPress instances and review access logs for potential exploitation attempts targeting the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Rt Theme 18 Extensions
View allPHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attack
Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated
RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43387