What is the CVSS score of EUVD-2025-18547?

EUVD-2025-18547 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Spare WordPress Theme are affected by EUVD-2025-18547?

CVE-2025-31919 is a critical remote code execution vulnerability in Spare WordPress theme versions up to 1.7 that allows unauthenticated attackers to execute arbitrary code through object…

How to fix or mitigate EUVD-2025-18547?

Within 24 hours: Immediately disable or remove Spare WordPress theme from all production environments and identify all sites using versions 1.7 or earlier through WordPress admin dashboards or site inventory tools. Within 7 days: Audit all affected WordPress instances for unauthorized code execution, suspicious database modifications, or backdoor installations dating back to theme deployment; engage forensics if compromise is suspected. Within 30 days: Migrate to an alternative WordPress theme with no known vulnerabilities, or contact Spare theme developers to confirm patch availability before re-deployment.

Spare WordPress Theme EUVD-2025-18547

| CVE-2025-31919 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-17 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 20:03 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18547

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

CVE Published

Jun 17, 2025 - 15:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7.

AnalysisAI

PHP object injection in Spare WordPress theme versions up to 1.7 enables remote unauthenticated attackers to execute arbitrary code through deserialization of untrusted data. The CVSS 9.8 critical rating reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. EPSS score of 0.14% (34th percentile) suggests low observed exploitation probability despite critical severity, and no CISA KEV listing confirms no widespread active exploitation detected. Patchstack vulnerability database identifies this as a PHP object injection vulnerability in the WordPress theme marketplace.

Technical ContextAI

This is a CWE-502 deserialization vulnerability affecting the Spare WordPress theme by themeton. PHP object injection occurs when untrusted serialized data is passed to PHP's unserialize() function without proper validation, allowing attackers to instantiate arbitrary objects and potentially trigger magic methods (__wakeup, __destruct, __toString) that execute attacker-controlled code. WordPress themes often deserialize user-supplied data from cookies, POST parameters, or database values for session management or configuration storage. The vulnerability's AV:N vector indicates the deserialization endpoint is accessible over the network, likely through theme-specific AJAX handlers or form processors that accept serialized PHP objects without sanitization. Successful exploitation depends on the presence of suitable PHP gadget chains within the WordPress environment (core, plugins, or theme code) that can be chained to achieve code execution, file manipulation, or SQL injection.

RemediationAI

Consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/spare/vulnerability/wordpress-spare-1-7-php-object-injection-vulnerability for vendor-confirmed remediation steps. Fixed version number not confirmed in available data - organizations must verify with themeton or Patchstack whether version 1.8 or later addresses this vulnerability. If no patched version exists, implement compensating controls: (1) Replace Spare theme with an alternative maintained theme - side effect requires redesigning site appearance and may break custom functionality; (2) Deploy web application firewall rules to block serialized PHP objects in HTTP requests (inspect POST/GET parameters and cookies for patterns like 'O:' followed by digits) - may cause false positives blocking legitimate WordPress operations; (3) Restrict wp-admin and theme file access to trusted IP addresses via .htaccess or firewall rules - limits administrative flexibility for remote teams. Monitor WordPress security logs for unusual unserialize() calls or unexpected object instantiation. Verify theme is actively maintained before deploying in production environments.

EUVD-2025-18547 vulnerability details – vuln.today

Back

Spare WordPress Theme EUVD-2025-18547

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code