CVE-2025-60216

CRITICAL
2025-10-22 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
CRITICAL 9.8

Tags

Deserialization

Description

Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8.

Analysis

PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.

Technical Context

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data) affecting the Addison WordPress theme by BoldThemes. PHP object injection occurs when an application unserializes user-controlled data without proper validation, allowing attackers to instantiate arbitrary PHP objects. If the application contains gadget chains (existing classes with magic methods like __wakeup, __destruct, or __toString), attackers can chain these together to achieve code execution, SQL injection, or file manipulation. WordPress themes frequently handle serialized data for configuration storage, theme options, or custom post types. The vulnerability exists in versions up to and including 1.4.7, indicating a long-standing code pattern that persisted across multiple releases before detection and remediation.

Affected Products

This vulnerability affects BoldThemes Addison WordPress theme in all versions from the initial release through version 1.4.7. The Patchstack advisory specifically documents the flaw in version 1.4.2, indicating the vulnerability existed across multiple release cycles. Organizations running any Addison theme version prior to 1.4.8 should consider themselves affected. The vulnerability was reported through Patchstack's coordinated disclosure program ([email protected]), suggesting responsible disclosure practices were followed. The vendor advisory and technical details are available at https://patchstack.com/database/Wordpress/Theme/addison/vulnerability/wordpress-addison-theme-1-4-2-php-object-injection-vulnerability.

Remediation

Organizations must immediately upgrade the BoldThemes Addison WordPress theme to version 1.4.8 or later, which addresses the unsafe deserialization vulnerability. Navigate to WordPress admin dashboard, select Appearance > Themes, check for available updates, and apply the Addison 1.4.8 update. For environments where immediate patching is not feasible, implement defense-in-depth controls including Web Application Firewall (WAF) rules to inspect and block serialized PHP objects in POST/GET parameters, restrict theme file write permissions, and monitor for suspicious deserialization attempts in PHP error logs. Organizations no longer using Addison should deactivate and remove the theme entirely to eliminate the attack surface. Complete remediation guidance and technical details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/addison/vulnerability/wordpress-addison-theme-1-4-2-php-object-injection-vulnerability. Verify successful remediation by confirming theme version 1.4.8 or later in WordPress admin panel.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-60216 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy