Skip to main content

The Hospital theme CVE-2025-60231

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
Deserialization The Hospital
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

WordPress theme deserialization on a network-reachable endpoint with no auth or user interaction per Patchstack; successful POP chain yields full RCE, so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
CRITICAL 9.8
Analysis Generated
Jun 17, 2026 - 14:50 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection.

This issue affects The Hospital: from n/a through 1.8.1.

AnalysisAI

Unauthenticated PHP Object Injection in the EMV "The Hospital" WordPress theme (nrghospital) through version 1.8.1 lets remote attackers trigger deserialization of attacker-controlled data, which can be chained with available POP gadgets to achieve full compromise of the host site. CVSS 9.8 reflects unauthenticated network exploitability with high CIA impact; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The flaw is a classic CWE-502 Deserialization of Untrusted Data in a commercial WordPress theme distributed as "nrghospital" by vendor EMV. WordPress themes commonly pass user-controllable values through PHP's unserialize() (or equivalents) when handling cookies, options, AJAX endpoints, or form submissions; when this happens, any class with magic methods (__wakeup, __destruct, __toString) loaded by WordPress core, the theme, or other active plugins becomes a candidate gadget. The CPE cpe:2.3:a:emv:the_hospital:*:*:*:*:*:*:*:* confirms all versions of the product are in scope up to 1.8.1 inclusive, and Patchstack categorizes the bug specifically as "PHP Object Injection," the WordPress-ecosystem term for an exploitable unserialize sink.

RemediationAI

No vendor-released patched version is identified in the supplied data - the advisory only confirms the issue exists "from n/a through 1.8.1," so administrators should monitor the theme's update channel and the Patchstack record (https://patchstack.com/database/wordpress/theme/nrghospital/vulnerability/wordpress-the-hospital-theme-1-8-1-php-object-injection-vulnerability) for a fixed release above 1.8.1 and upgrade as soon as one is published. Until then, the most effective compensating control is to deactivate and remove the nrghospital theme and switch to a maintained alternative; if that is not viable, place the site behind a WAF (Patchstack, Wordfence, Cloudflare) with rules that block serialized PHP payloads (strings containing O:, a:, s: tokens) on theme endpoints, restrict access to theme AJAX and admin-ajax.php actions associated with the theme via IP allowlisting, and disable XML-RPC and any unauthenticated form submissions the theme exposes. Trade-offs: WAF signature-based blocking of serialized data can produce false positives on legitimate admin actions, and removing the theme will break the front-end design until a replacement is configured.

Share

CVE-2025-60231 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy