How to fix CVE-2025-49072?

Within 24 hours: Identify all systems running Mr. Murphy and document their versions and network exposure; isolate or restrict network access to affected instances if possible. Within 7 days: Implement WAF rules to block malicious serialized object patterns; disable Mr. Murphy functionality if operationally feasible; contact AncoraThemes for patch timeline estimates. Within 30 days: Deploy compensating controls such as input validation filters and network segmentation; prepare for emergency patching upon vendor release; conduct forensic audit for signs of exploitation.

Is Deserialization affected by CVE-2025-49072?

A critical deserialization vulnerability in AncoraThemes Mr. Murphy (CVE-2025-49072) allows attackers to inject malicious objects and potentially execute arbitrary code on affected systems. Organizations running Mr.

CVE-2025-49072

EUVD-2025-17116 CRITICAL

2025-06-06 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17116

CVE Published

Jun 06, 2025 - 13:15 nvd

CRITICAL 9.8

Description

Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy allows Object Injection.This issue affects Mr. Murphy: from n/a before 1.2.12.1.

Analysis

Critical deserialization vulnerability in AncoraThemes Mr. Murphy WordPress theme that allows unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). All versions before 1.2.12.1 are vulnerable. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this vulnerability presents an immediate, high-priority threat to affected WordPress installations.

Technical Context

This vulnerability stems from CWE-502: Deserialization of Untrusted Data, a class of flaws where applications deserialize untrusted input without proper validation. The AncoraThemes Mr. Murphy theme likely deserializes user-supplied data (possibly from HTTP requests, cached data, or transients) using PHP's unserialize() function or similar mechanisms without sufficient input validation. This enables Object Injection attacks where attackers craft malicious serialized objects that, when deserialized, trigger unintended code execution through PHP's magic methods (__wakeup, __destruct, __toString) or gadget chains within WordPress/installed libraries. The vulnerability is specific to the Mr. Murphy theme (CPE would be: cpe:2.7:a:ancorathemes:mr_murphy:*:*:*:*:*:wordpress:*:*), affecting WordPress installations using this theme on versions before 1.2.12.1.

Affected Products

Mr. Murphy (All versions before 1.2.12.1)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

CVE-2025-49072 vulnerability details – vuln.today

Back

CVE-2025-49072

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-49072

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code