CVE-2025-67617
CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-01-22
audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share
Severity by source
NVD
PRIMARY
9.8
CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Lifecycle Timeline
2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 22, 2026 - 17:16 nvd
CRITICAL 9.8
DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection.This issue affects Consult Aid: from n/a through <= 1.4.3.
AnalysisAI
Consult Aid WordPress theme has an insecure deserialization vulnerability allowing object injection that can lead to remote code execution.
Technical ContextAI
The Consult Aid theme by themeton has a CWE-502 deserialization of untrusted data vulnerability that allows attackers to inject serialized PHP objects that trigger dangerous operations during unserialization.
Affected ProductsAI
themeton Consult Aid WordPress theme
RemediationAI
Update the theme. Avoid deserializing user-controlled data.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).