What is CVE-2025-39348?

CVE-2025-39348 is tracked as a Vulnerability issue affecting the Theme Grand Restaurant WordPress.

Which Grand Restaurant WordPress versions are affected?

The primary affected range is Versions up to 7.0.

How should operators remediate CVE-2025-39348?

No patched release is listed in this record, so monitor the vendor and linked references before accepting the risk.

Vulnerability Report

Theme Critical No patch listed CVE-2025-39348

Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection

The Grand Restaurant WordPress theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 7.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Quick Answer

CVE-2025-39348 is a critical severity with CVSS 9.8 Vulnerability issue affecting the Theme Grand Restaurant WordPress. It affects Versions up to 7.0 and is listed without a confirmed patched release.

Back to Feed View Theme Hub Open CVE Reference

Published

Apr 21, 2025

Last Updated

Apr 30, 2025

Slug

grandrestaurant

Risk Profile

9.8 CVSS Score

Weakness

Deserialization of Untrusted Data

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researchers

Ananda Dhakal

Operational Summary

What the operator needs to know

Share Email

Patch Status

No patched release listed

Remediation

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Operator Briefing

CVE-2025-39348 is tracked for the Theme Grand Restaurant WordPress as critical severity with CVSS 9.8. The affected range is Versions up to 7.0. No fixed release is listed in this feed entry, so operators should monitor the vendor and reference links before accepting the risk.

Issue Type

Vulnerability

Primary Fixed Version

Not published

Primary Affected Range

Versions up to 7.0

Tracking ID

CVE-2025-39348

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/bb3f2af4-b5cc-43c0-8425-224281300d66?source=api-prod

Detailed Metadata

Software Type	Theme
Software Slug	grandrestaurant View on wordpress.org
CVE	CVE-2025-39348
Patched Versions	No patched versions published.
Affected Versions	Versions up to 7.0

Related CVE Cluster

Related CVEs for Grand Restaurant WordPress

These internal links group the same WordPress theme by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.

Critical CVE-2025-32926 No patch listed Apr 21, 2025

CVE-2025-32926 Grand Restaurant WordPress Vulnerability

Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection via Path Traversal

High CVE-2025-39352 No patch listed Apr 21, 2025

CVE-2025-39352 Grand Restaurant WordPress Vulnerability

Grand Restaurant WordPress <= 7.0 - Missing Authorization to Unauthenticated Arbitrary Options Deletion

High CVE-2026-23542 7.0.11 Feb 18, 2026

CVE-2026-23542 Grand Restaurant WordPress Vulnerability

Grand Restaurant <= 7.0.10 - Unauthenticated PHP Object Injection

Medium CVE-2025-67922 7.0.9 Jan 05, 2026

CVE-2025-67922 Grand Restaurant WordPress Cross-Site Scripting

Grand Restaurant < 7.0.9 - Reflected Cross-Site Scripting

Medium CVE-2025-39353 No patch listed Apr 18, 2025

CVE-2025-39353 Grand Restaurant WordPress Vulnerability

Grand Restaurant WordPress <= 7.0 - Missing Authorization

Medium CVE-2025-39351 No patch listed Apr 18, 2025

CVE-2025-39351 Grand Restaurant WordPress Cross-Site Request Forgery

Grand Restaurant WordPress <= 7.0 - Cross-Site Request Forgery

Licensing Notices

This record contains material that is subject to copyright

DEFIANT

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more

MITRE

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more