CVE-2025-49073 — AI Deep Analysis Summary

🚨 **Essence**: Untrusted data deserialization in 'Sweet Dessert' plugin. 💥 **Consequences**: PHP Object Injection.…

🛡️ **Root Cause**: **CWE-502** (Deserialization of Untrusted Data). The plugin fails to validate or sanitize input before passing it to PHP's `unserialize()` or similar functions, allowing malicious object construction.

🏢 **Affected**: Vendor: **axiomthemes**. Product: **Sweet Dessert** (WordPress Theme/Plugin). 📉 **Version**: Versions **prior to 1.1.13** are vulnerable. 1.1.13+ is safe.

💀 **Attacker Capabilities**: Full **Object Injection**. This can lead to Remote Code Execution (RCE), arbitrary file inclusion, or privilege escalation.…

⚡ **Exploitation Threshold**: **LOW**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. No authentication required. No user interaction needed. Network-accessible. Extremely easy to exploit remotely.

🔍 **Public Exploit**: **No specific PoC provided** in the data. However, given the low CVSS complexity and nature of the flaw, generic PHP Object Injection payloads are likely applicable. High risk of wild exploitation.

🔎 **Self-Check**: Scan for **Sweet Dessert** theme/plugin. Check version number. If < **1.1.13**, you are vulnerable. Look for unserialized inputs in theme functions or plugin hooks.

✅ **Official Fix**: **Yes**. Update to version **1.1.13** or later. The vendor (axiomthemes) has released a patch addressing the deserialization flaw. Check official WordPress repository or vendor site.

🚧 **No Patch Workaround**: Disable the theme/plugin immediately. If essential, restrict access via firewall/WAF. Block outbound connections from the server. Monitor logs for suspicious `unserialize` calls.

🔥 **Urgency**: **CRITICAL**. CVSS Score is High (implied by H:H:H). No auth required. Publicly known. **Action**: Patch immediately. Do not wait. This is a high-priority security incident.