PHP Object Injection Vulnerability in Education Theme for WordPress
CVE-2024-13786

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Education Center | Lms & Online Courses WordPress Theme
Vendor: CVE Published:; 2 July 2025

What is CVE-2024-13786?

The Education theme for WordPress is exposed to a PHP Object Injection vulnerability through the deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This issue affects all versions up to and including 3.6.10, potentially allowing unauthenticated attackers to inject a PHP Object. While there is no present PHP Object Pollution (POP) chain in the theme itself, if any additional plugin or theme containing a POP chain is installed, it could lead to severe consequences, including arbitrary file deletion, sensitive data retrieval, or even remote code execution, depending on the specifics of the exploitation vector.

Affected Version(s)

Education Center | LMS & Online Courses WordPress Theme * <= 3.6.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/education-center-training-co...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2025
Vulnerability Reserved
Jan 29, 2025

Credit

Lucio Sá