CVE-2025-49434
Published: 20 August 2025
Summary
CVE-2025-49434 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-49434 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the axiomthemes Cars4Rent WordPress theme, enabling Object Injection. The issue affects Cars4Rent versions from n/a through 1.4.2 and was published on 2025-08-20.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to inject malicious objects for severe outcomes such as remote code execution.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/cars4rent/vulnerability/wordpress-cars4rent-theme-1-4-2-php-object-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28307
Vulnerability details
Deserialization of Untrusted Data vulnerability in axiomthemes Cars4Rent cars4rent allows Object Injection.This issue affects Cars4Rent: from n/a through <= 1.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in public-facing WordPress theme directly enables unauthenticated remote exploitation (T1190) leading to arbitrary code/command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires identifying, testing, and applying patches for known deserialization vulnerabilities like CVE-2025-49434 in the Cars4Rent WordPress theme.
Information input validation directly prevents deserialization of untrusted data by enforcing checks on serialized inputs before processing in the vulnerable theme.
Vulnerability monitoring and scanning detects the object injection flaw in Cars4Rent and triggers remediation to prevent exploitation.