CVE-2025-31634 HIGH

CVE-2025-31634: WordPress Insurance theme <= 3.5 - PHP Object Injection Vulnerability

Vendor Designthemes
Product Insurance
Weakness CWE-502 · Unsafe deserialization
Published October 22, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in designthemes Insurance insurance allows Object Injection.This issue affects Insurance: from n/a through <= 3.5.

Explanation of Vulnerability in Simple Terms

02Summary

The Insurance product by DesignThemes versions 3.5 and earlier contain a deserialization vulnerability in how they process untrusted data. An authenticated attacker can exploit this to read sensitive site data, modify content, or disrupt service availability. No user interaction is required. Update to a version newer than 3.5 immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or crash the site by sending malicious serialized data.

Potential impact on your site

04Site Impact

Any authenticated user can compromise site confidentiality, integrity, and availability without additional interaction.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level privileges; network access to the site.

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 28, 2026 Record updated