This blog post is about an unauthenticated PHP object injection vulnerability in the MediCenter theme. If you're a MediCenter theme user, please update the plugin to version 15.2.
The vulnerabilities mentioned here were discovered and reported by Patchstack Alliance community member Aiden.
✌️ Our users are protected from this vulnerability. Are yours?
Identify vulnerabilities in your plugins and get recommendations for fixes.
Request auditProtect your users, improve server health and earn additional revenue.
Patchstack for hostsAbout MediCenter theme
The MediCenter theme, which has over 10,000 active installations, allows site owners to create feature-rich healthcare websites, from veterinary and maternity clinics to dental care, physiotherapy, and more.
The security vulnerability
In versions 15.1 and below, the theme is vulnerable to a PHP object injection, which allows any unauthenticated attacker to inject arbitrary PHP objects for deserialization. The vulnerability has been patched in version 15.2 and is tracked with CVE-2025-54014.
The root cause of the issue lies in the mc_theme_gallery_shortcode function:
function mc_theme_gallery_shortcode($atts, $content='', $tag='medicenter_gallery')
{
global $themename;
global $post;
if(isset($_GET["atts"]))//$_GET["action"]=="theme_" . $atts['shortcode_type'] . "_pagination")
$atts = unserialize(stripslashes($_GET["atts"]));
extract(shortcode_atts(array(
"shortcode_type" => "",
"header" => "",
"animation" => 0,
"order_by" => "title menu_order",
"order" => "ASC",
"style" => "default",
"type" => "list_with_details",
"layout" => "gallery-4-columns",
"featured_image_size" => "default",
"hover_icons" => 1,
"title_box" => 1,
"details_page" => "",
"display_method" => "dm_filters",
"all_label" => "",
"id" => "",
"autoplay" => 0,
"pause_on_hover" => 1,
"scroll" => 1,
"effect" => "scroll",
"easing" => "swing",
"duration" => 500,
"items_per_page" => 4,
"ajax_pagination" => 1,
"category" => "",
"ids" => "",
"display_headers" => 1,
"headers_type" => "h2",
"display_social_icons" => 1,
"images_loop" => 0,
"el_class" => "",
"top_margin" => "none"
), $atts));
The function takes the user input from $_GET["atts"] and after applying stripslashes(), it is calling unserialize() without any checks or prevention for object injection and assigns it to $atts.
Although the vulnerable function is defined inside the theme, the action that calls on this function is defined as nopriv in the medicenter_galleries plugin, which is a plugin that is required for the theme functionality.
add_action("wp_ajax_theme_gallery_pagination", "mc_theme_gallery_shortcode");
add_action("wp_ajax_nopriv_theme_gallery_pagination", "mc_theme_gallery_shortcode");The patch
In version 15.2, the vulnerability is mitigated the vulnerability is mitigated by the vendor inside the same unserialize call by using ['allowed_classes' => false] argument that prevents invoking arbitrary objects.
Conclusion
It is strongly suggested never to use the unserialize function unless absolutely necessary. Alternatives such as the json_decode function could be used to process the data. The best practice is always to use ['allowed_classes' => false] with unserialize If it is unavoidable to use.
Want to learn more about finding and fixing vulnerabilities?
Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.
Timeline
🤝 You can help us make the Internet a safer place
Streamline your disclosure process to fix vulnerabilities faster and comply with CRA.
Get started for freeProtect your users too! Improve server health and earn added revenue with proactive security.
Patchstack for hostsReport vulnerabilities to our gamified bug bounty program to earn monthly cash rewards.
Learn more
