EUVD-2025-210191Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description states unauthenticated PHP object injection over the network with no user interaction; deserialization gadgets typically enable full RCE, so C/I/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions.
Articles & Coverage 1
AnalysisAI
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.
Technical ContextAI
Hot Coffee is a commercial WordPress theme distributed by ThemeREX (CPE: cpe:2.3:a:themerex:hot_coffee). The underlying weakness is CWE-502 (Deserialization of Untrusted Data): the theme passes attacker-controlled input into PHP's unserialize() without validating that the serialized payload originates from a trusted source. When unserialize() rebuilds objects, PHP automatically invokes magic methods such as __wakeup() and __destruct() on resulting instances. If any class available in the WordPress runtime (core, other plugins, or themes loaded in the same process) contains a suitable POP gadget, the deserialization can be chained into file writes, SQL queries, or code execution. Because WordPress installations typically load many plugins/themes, gadget chains are commonly reachable in practice.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory (https://patchstack.com/database/wordpress/theme/hot-coffee/vulnerability/wordpress-hot-coffee-theme-1-7-php-object-injection-vulnerability) does not cite a fixed version in the supplied data, so administrators should check ThemeREX for a release above 1.7 and upgrade as soon as one is published. Until a vendor update is available, the most effective compensating control is to deploy the Patchstack mAX or an equivalent WordPress WAF with a virtual patch rule blocking serialized PHP payloads (strings matching patterns like O:\d+:" or a:\d+:{) on requests reaching the theme's endpoints - note this can break legitimate forms that legitimately transport serialized data. Alternatively, switch the site to a different theme until a fix ships, or restrict access to the theme's vulnerable entry points via web-server rules; auditing for unexpected admin users, scheduled tasks (wp_cron), and modified PHP files is recommended in case exploitation has already occurred.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today