CVE-2025-49073: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2025-49073) was discovered in Axiomthemes Sweet Dessert WordPress theme, affecting versions before 1.1.13. The vulnerability was reported on April 9, 2025, by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was publicly disclosed on June 3, 2025 (Patchstack Database).

The vulnerability is classified as a PHP Object Injection issue, stemming from improper handling of deserialized untrusted data. It has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-502 (Deserialization of Untrusted Data) (Patchstack Database).

This vulnerability could potentially allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The high CVSS score of 9.8 indicates that this vulnerability is highly dangerous and expected to become mass exploited (Patchstack Database).

Users are strongly advised to update to version 1.1.13 or later of the Sweet Dessert theme to resolve this vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Database).