EUVD-2025-17499

| CVE-2025-31398 CRITICAL
2025-06-09 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17499
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
CRITICAL 9.8

Tags

Deserialization Code Injection

Description

Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7.

Analysis

Critical deserialization of untrusted data vulnerability in themeton PIMP (Creative MultiPurpose) plugin affecting versions through 1.7, allowing unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). The CVSS 9.8 score reflects the network-accessible, authentication-free attack vector with high impact across all three security dimensions. Exploitation requires no user interaction and can be performed by any unauthenticated network attacker, making this a severe priority if the KEV catalog confirms active exploitation or POC availability.

Technical Context

This vulnerability exploits unsafe deserialization patterns (CWE-502) in the themeton PIMP plugin, likely a WordPress or similar CMS extension. Unsafe deserialization occurs when the application deserializes untrusted data without proper validation, allowing attackers to instantiate arbitrary PHP objects with crafted property values. In WordPress/PHP contexts, gadget chains (sequences of existing classes with magic methods like __wakeup, __destruct, or __toString) can be chained together to achieve remote code execution. The vulnerability affects PIMP versions n/a through 1.7, suggesting all releases up to and including version 1.7 are vulnerable. Without vendor CPE strings provided, the affected product is identified as themeton/pimp (WordPress plugin family), likely with CPE structure vendor:themeton:pimp:<=1.7.

Affected Products

PIMP - Creative MultiPurpose (1.7 and earlier (all versions through 1.7))

Remediation

Vendor Patch: Upgrade themeton PIMP to version 1.8 or later (assuming patched version exists). Check themeton official repository or WordPress.org plugin directory for the latest release.; priority: Critical - deploy immediately Workaround (if patch unavailable): Disable or deactivate the PIMP plugin until a patch is released. This eliminates the attack surface entirely.; priority: High Detection & Monitoring: Monitor HTTP requests for serialized PHP objects (PHP serialize() format begins with 'O:' or 's:'), implement WAF rules to block POST/GET parameters containing serialized data to the plugin endpoints.; priority: Medium - supplement primary remediation Network Segmentation: If immediate patching is impossible, restrict network access to the WordPress instance via IP allowlisting or WAF rules to trusted sources only.; priority: Medium

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

EUVD-2025-17499 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy