What is the CVSS score of CVE-2025-60236?

CVE-2025-60236 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Creatify WordPress Theme are affected by CVE-2025-60236?

The EMV Creatify WordPress theme (versions ≤1.5) contains a critical PHP object injection vulnerability that allows unauthenticated attackers to remotely execute arbitrary code and fully compromise…

How to fix or mitigate CVE-2025-60236?

Within 24 hours: Identify all WordPress installations using EMV Creatify theme versions ≤1.5; disable or remove the theme immediately; preserve access logs for forensic analysis. Within 7 days: Deploy Web Application Firewall (WAF) rules to block PHP deserialization attack patterns; conduct log review for exploitation evidence. Within 30 days: Migrate affected sites to an alternative theme; implement version-tracking process for all third-party WordPress components.

Creatify WordPress Theme CVE-2025-60236

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-17 Patchstack

Deserialization Creatify

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Network-reachable unauthenticated PHP object injection (AV:N/PR:N/UI:N), but reliable RCE typically depends on a usable POP gadget chain in co-installed components, justifying AC:H; full CIA impact retained.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 14:49 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection.

This issue affects Creatify: from n/a through 1.5.

AnalysisAI

PHP Object Injection in the EMV Creatify WordPress theme (versions up to and including 1.5) allows remote unauthenticated attackers to trigger insecure deserialization of attacker-supplied data, potentially leading to arbitrary code execution, file operations, or full site compromise depending on available gadget chains in the WordPress runtime. Patchstack catalogs this as a PHP Object Injection issue under CWE-502, and no public exploit was identified at time of analysis. EPSS data was not supplied, but the CVSS 9.8 rating reflects unauthenticated network-reachable impact.

Technical ContextAI

Creatify is a commercial WordPress theme distributed by EMV and tracked under CPE cpe:2.3:a:emv:creatify. The root cause is CWE-502 (Deserialization of Untrusted Data), commonly manifesting in WordPress themes as a call to PHP's unserialize() on attacker-controllable input (e.g., a cookie, POST parameter, or option value) without integrity checks. When unserialize() processes attacker data, PHP automatically instantiates objects and may invoke magic methods such as __wakeup, __destruct, or __toString. In the WordPress ecosystem this is dangerous because attackers can chain gadgets from WordPress core, other active plugins, or the theme itself (a 'POP chain') to achieve file writes, SQL execution, or code execution - even when the theme alone contains no obviously dangerous sinks.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data - administrators should consult the Patchstack record at https://patchstack.com/database/wordpress/theme/creatify/vulnerability/wordpress-creatify-theme-1-5-php-object-injection-vulnerability and upgrade Creatify to the vendor-supplied version above 1.5 as soon as it is identified. If a fixed version cannot be obtained promptly, compensating controls include deploying Patchstack's vPatch or a WAF rule that blocks serialized PHP payloads (regex matching on patterns like O:\d+:" or a:\d+:{) on requests to wp-admin/admin-ajax.php and theme endpoints, with the trade-off of potential false positives on legitimate serialized cookies; temporarily switching to a different theme until patched; or restricting access to the affected theme's request handlers via web server ACLs, which may break front-end functionality. Audit for indicators of prior exploitation (unexpected admin users, modified PHP files, scheduled cron entries) before applying any fix.

CVE-2025-60236 vulnerability details – vuln.today

Back

Creatify WordPress Theme CVE-2025-60236

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code