CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

CWE-913

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (971)

page 10 of 49

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-30949	Cri	0.64	9.8	0.00	Jul 16, 2025	Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram site-chat-on-telegram allows Object Injection.This issue affects Site Chat on Telegram: from n/a through <= 1.0.4.
CVE-2025-28961	Cri	0.64	9.8	0.00	Jul 16, 2025	Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.
CVE-2025-27203	Cri	0.64	9.6	0.23	Jul 8, 2025	Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed.
CVE-2025-49417	Cri	0.64	9.8	0.00	Jul 4, 2025	Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action Woo-product-multiaction allows Object Injection.This issue affects WooCommerce Product Multi-Action: from n/a through <= 1.3.
CVE-2024-13786	Cri	0.64	9.8	0.03	Jul 2, 2025	The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVE-2025-52725	Cri	0.64	9.8	0.00	Jun 27, 2025	Deserialization of Untrusted Data vulnerability in pebas CouponXxL couponxxl allows Object Injection.This issue affects CouponXxL: from n/a through <= 3.0.0.
CVE-2025-52724	Cri	0.64	9.8	0.00	Jun 27, 2025	Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk amwerk allows Object Injection.This issue affects Amwerk: from n/a through <= 1.2.0.
CVE-2025-28970	Cri	0.64	9.8	0.00	Jun 27, 2025	Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic wp-optimize-by-xtraffic allows Object Injection.This issue affects WP Optimize By xTraffic: from n/a through <= 5.1.6.
CVE-2025-49330	Cri	0.64	9.8	0.00	Jun 17, 2025	Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin cf7-zoho allows Object Injection.This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through <= 1.3.0.
CVE-2025-31919	Cri	0.64	9.8	0.00	Jun 17, 2025	Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7.
CVE-2025-30618	Cri	0.64	9.8	0.01	Jun 17, 2025	Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows Object Injection.This issue affects Rapyd Payment Extension for WooCommerce: from n/a through <= 1.2.0.
CVE-2025-49507	Cri	0.64	9.8	0.00	Jun 10, 2025	Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay cozystay allows Object Injection.This issue affects CozyStay: from n/a through < 1.7.1.
CVE-2025-31429	Cri	0.64	9.8	0.00	Jun 9, 2025	Deserialization of Untrusted Data vulnerability in themeton PressGrid - Frontend Publish Reaction & Multimedia Theme allows Object Injection. This issue affects PressGrid - Frontend Publish Reaction & Multimedia Theme: from n/a through 1.3.1.
CVE-2025-31398	Cri	0.64	9.8	0.00	Jun 9, 2025	Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7.
CVE-2025-31396	Cri	0.64	9.8	0.00	Jun 9, 2025	Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.
CVE-2025-31052	Cri	0.64	9.8	0.00	Jun 9, 2025	Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme nrgfashion allows Object Injection.This issue affects The Fashion - Model Agency One Page Beauty Theme: from n/a through <= 1.4.4.
CVE-2025-49073	Cri	0.64	9.8	0.00	Jun 6, 2025	Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue affects Sweet Dessert: from n/a through < 1.1.13.
CVE-2025-49072	Cri	0.64	9.8	0.00	Jun 6, 2025	Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy mr-murphy allows Object Injection.This issue affects Mr. Murphy: from n/a through < 1.2.12.1.
CVE-2025-48336	Cri	0.64	9.8	0.00	May 29, 2025	Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6.
CVE-2025-48289	Cri	0.64	9.8	0.00	May 23, 2025	Deserialization of Untrusted Data vulnerability in AncoraThemes Kids Planet kidsplanet allows Object Injection.This issue affects Kids Planet: from n/a through <= 2.2.14.

CVE-2025-30949CriJul 16, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram site-chat-on-telegram allows Object Injection.This issue affects Site Chat on Telegram: from n/a through <= 1.0.4.
CVE-2025-28961CriJul 16, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.
CVE-2025-27203CriJul 8, 2025
risk 0.64cvss 9.6epss 0.23
Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed.
CVE-2025-49417CriJul 4, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action Woo-product-multiaction allows Object Injection.This issue affects WooCommerce Product Multi-Action: from n/a through <= 1.3.
CVE-2024-13786CriJul 2, 2025
risk 0.64cvss 9.8epss 0.03
The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVE-2025-52725CriJun 27, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in pebas CouponXxL couponxxl allows Object Injection.This issue affects CouponXxL: from n/a through <= 3.0.0.
CVE-2025-52724CriJun 27, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk amwerk allows Object Injection.This issue affects Amwerk: from n/a through <= 1.2.0.
CVE-2025-28970CriJun 27, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic wp-optimize-by-xtraffic allows Object Injection.This issue affects WP Optimize By xTraffic: from n/a through <= 5.1.6.
CVE-2025-49330CriJun 17, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin cf7-zoho allows Object Injection.This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through <= 1.3.0.
CVE-2025-31919CriJun 17, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7.
CVE-2025-30618CriJun 17, 2025
risk 0.64cvss 9.8epss 0.01
Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows Object Injection.This issue affects Rapyd Payment Extension for WooCommerce: from n/a through <= 1.2.0.
CVE-2025-49507CriJun 10, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay cozystay allows Object Injection.This issue affects CozyStay: from n/a through < 1.7.1.
CVE-2025-31429CriJun 9, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in themeton PressGrid - Frontend Publish Reaction & Multimedia Theme allows Object Injection. This issue affects PressGrid - Frontend Publish Reaction & Multimedia Theme: from n/a through 1.3.1.
CVE-2025-31398CriJun 9, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7.
CVE-2025-31396CriJun 9, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.
CVE-2025-31052CriJun 9, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme nrgfashion allows Object Injection.This issue affects The Fashion - Model Agency One Page Beauty Theme: from n/a through <= 1.4.4.
CVE-2025-49073CriJun 6, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue affects Sweet Dessert: from n/a through < 1.1.13.
CVE-2025-49072CriJun 6, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy mr-murphy allows Object Injection.This issue affects Mr. Murphy: from n/a through < 1.2.12.1.
CVE-2025-48336CriMay 29, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6.
CVE-2025-48289CriMay 23, 2025
risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in AncoraThemes Kids Planet kidsplanet allows Object Injection.This issue affects Kids Planet: from n/a through <= 2.2.14.