CVE-2025-48289: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability was discovered in AncoraThemes Kids Planet WordPress theme that allows Object Injection. This vulnerability affects Kids Planet versions through 2.2.14. The vulnerability was disclosed on May 23, 2025 and received a critical CVSS v3.1 base score of 9.8 (Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and allows PHP Object Injection through untrusted data deserialization. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity and availability (NVD).

If successfully exploited, this vulnerability could allow attackers to execute code injection, SQL injection, path traversal, denial of service, and other attacks if a proper POP chain is present. The specific impact depends on the POP chains available in the installed plugins and themes (Patchstack).

Users are advised to update to version 2.2.14.1 or later to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).