CVE-2025-52828 HIGH

CVE-2025-52828: WordPress Red Art theme <= 3.8 - PHP Object Injection Vulnerability

Vendor Designthemes

Product Red Art

Weakness CWE-502 · Unsafe deserialization

Published July 4, 2025

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in designthemes Red Art redart allows Object Injection.This issue affects Red Art: from n/a through <= 3.8.

Explanation of Vulnerability in Simple Terms

02Summary

Red Art versions 3.8 and earlier contain a deserialization vulnerability that allows authenticated users to execute arbitrary code on the site. An attacker with low-level access can craft malicious serialized data that, when processed by the application, runs their own PHP code. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site with the privileges of the web server.

Potential impact on your site

04Site Impact

Compromised site with potential data theft, malware injection, or complete takeover.

Conditions required to exploit

05Prerequisites

Attacker must have a low-level user account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

July 4, 2025 CVE published

May 12, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-52828 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities