CVE-2025-60214

CRITICAL
2025-10-22 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
CRITICAL 9.8

Tags

WordPress Deserialization Code Injection

Description

Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.

Analysis

PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

Technical Context

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a dangerous class of flaws where applications accept serialized objects from untrusted sources without validation. In PHP contexts, unserialize() functions on attacker-controlled data can trigger magic methods (__wakeup, __destruct) in existing classes, enabling code execution chains known as POP (Property-Oriented Programming) gadgets. WordPress themes and plugins frequently introduce object injection vulnerabilities through improper handling of cookies, POST parameters, or cached data. The Goldenblatt theme by BoldThemes contains such a deserialization weakness, allowing malicious actors to craft serialized PHP objects that, when processed by the theme's code, execute arbitrary logic on the server. The networkable attack vector (AV:N) indicates this can be exploited remotely over HTTP/HTTPS without requiring local system access.

Affected Products

BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 are confirmed vulnerable to PHP object injection. The vulnerability affects all installations running versions from initial release through 1.2.1, as documented in Patchstack's vulnerability database entry. Organizations should inventory WordPress sites using this commercial theme and verify installed versions against the fixed release. Vendor advisory and technical details available at https://patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability

Remediation

Immediately upgrade BoldThemes Goldenblatt theme to version 1.3.0 or later, which addresses the deserialization vulnerability according to Patchstack's disclosure. Site administrators should access WordPress admin dashboard, navigate to Appearance > Themes, and apply available updates. For sites unable to patch immediately, consider temporary mitigation by disabling the Goldenblatt theme and switching to a secure alternative until upgrade completion. No workaround exists for continued use of vulnerable versions due to the fundamental nature of unsafe deserialization in the codebase. Verify patch success by confirming theme version displays as 1.3.0 or higher post-update. Complete technical remediation guidance and vulnerability timeline available through Patchstack reference at https://patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-60214 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy