CVE-2025-60233

| EUVD-2025-208861 CRITICAL
2026-03-19 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2025-208861
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
CRITICAL 9.8

Tags

Deserialization

Description

Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2.

Analysis

A critical PHP object injection vulnerability exists in the Zuut WordPress theme due to insecure deserialization of untrusted data. The vulnerability affects all versions of Zuut through 1.4.2 and allows unauthenticated remote attackers to execute arbitrary PHP code, potentially leading to complete site compromise. With a CVSS score of 9.8, this vulnerability requires no privileges or user interaction and can be exploited over the network with low complexity.

Technical Context

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical class of security flaws where applications deserialize user-controlled data without proper validation. In PHP applications like WordPress themes, the unserialize() function can instantiate arbitrary objects and trigger magic methods (__wakeup, __destruct, __toString), enabling attackers to manipulate application logic or execute code through POP (Property-Oriented Programming) chains. The Zuut theme (a WordPress theme by Themeton) fails to properly sanitize user input before passing it to deserialization functions, allowing attackers to inject malicious serialized PHP objects. This vulnerability was identified by Patchstack's security audit team and catalogued in the European Union Vulnerability Database as EUVD-2025-208861.

Affected Products

The Zuut WordPress theme by Themeton is affected in all versions from the initial release through version 1.4.2. The vulnerability was confirmed by Patchstack security researchers ([email protected]) and documented in the European Union Vulnerability Database as EUVD-2025-208861. The complete vulnerability details and affected version information can be found in the Patchstack database at https://patchstack.com/database/wordpress/theme/zuut/vulnerability/wordpress-zuut-theme-1-4-2-php-object-injection-vulnerability.

Remediation

Website administrators using the Zuut theme should immediately upgrade to a patched version newer than 1.4.2 if available from Themeton, or contact the theme vendor directly for security updates. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/zuut/vulnerability/wordpress-zuut-theme-1-4-2-php-object-injection-vulnerability for the latest remediation guidance and patch availability. If an immediate patch is unavailable, consider temporarily switching to an alternative theme until a fix is released, as effective workarounds for PHP object injection vulnerabilities are difficult to implement without code modifications. Implement Web Application Firewall (WAF) rules to detect and block serialized PHP object patterns in HTTP requests as a temporary mitigation layer. Review server logs for suspicious activity patterns indicative of exploitation attempts, such as requests containing serialized PHP payloads (strings beginning with patterns like 'O:' or 'a:').

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

CVE-2025-60233 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy