What is the CVSS score of CVE-2025-60214?

CVE-2025-60214 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of WordPress are affected by CVE-2025-60214?

BoldThemes Goldenblatt WordPress theme versions before 1.3.0 contain a critical PHP object injection vulnerability allowing unauthenticated attackers to execute arbitrary code on affected websites.

How to fix or mitigate CVE-2025-60214?

Within 24 hours: Identify all WordPress instances using BoldThemes Goldenblatt theme and document current version numbers. Within 7 days: Update to Goldenblatt theme version 1.3.0 or later; if update is unavailable or blocked, disable the theme and switch to an alternative. Within 30 days: Conduct security audit of affected sites for unauthorized access logs and file modifications; implement Web Application Firewall (WAF) rules to block PHP deserialization attacks as interim protection.

WordPress CVE-2025-60214

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-10-22 audit@patchstack.com

WordPress Deserialization Code Injection

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Oct 22, 2025 - 15:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.

AnalysisAI

PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a dangerous class of flaws where applications accept serialized objects from untrusted sources without validation. In PHP contexts, unserialize() functions on attacker-controlled data can trigger magic methods (__wakeup, __destruct) in existing classes, enabling code execution chains known as POP (Property-Oriented Programming) gadgets. WordPress themes and plugins frequently introduce object injection vulnerabilities through improper handling of cookies, POST parameters, or cached data. The Goldenblatt theme by BoldThemes contains such a deserialization weakness, allowing malicious actors to craft serialized PHP objects that, when processed by the theme's code, execute arbitrary logic on the server. The networkable attack vector (AV:N) indicates this can be exploited remotely over HTTP/HTTPS without requiring local system access.

Affected ProductsAI

BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 are confirmed vulnerable to PHP object injection. The vulnerability affects all installations running versions from initial release through 1.2.1, as documented in Patchstack's vulnerability database entry. Organizations should inventory WordPress sites using this commercial theme and verify installed versions against the fixed release. Vendor advisory and technical details available at https://patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability

RemediationAI

Immediately upgrade BoldThemes Goldenblatt theme to version 1.3.0 or later, which addresses the deserialization vulnerability according to Patchstack's disclosure. Site administrators should access WordPress admin dashboard, navigate to Appearance > Themes, and apply available updates. For sites unable to patch immediately, consider temporary mitigation by disabling the Goldenblatt theme and switching to a secure alternative until upgrade completion. No workaround exists for continued use of vulnerable versions due to the fundamental nature of unsafe deserialization in the codebase. Verify patch success by confirming theme version displays as 1.3.0 or higher post-update. Complete technical remediation guidance and vulnerability timeline available through Patchstack reference at https://patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability