What is the CVSS score of CVE-2025-69111?

CVE-2025-69111 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Reisen WordPress Theme are affected by CVE-2025-69111?

The ThemeREX Reisen WordPress theme (versions 1.4.1 and earlier) contains a critical unauthenticated PHP object injection vulnerability allowing remote attackers to execute arbitrary code and fully…

How to fix or mitigate CVE-2025-69111?

Within 24 hours: Disable or remove the ThemeREX Reisen theme (versions ≤1.4.1) from all production WordPress installations and switch to a patched alternative; audit all active WordPress plugins for gadget chain dependencies. Within 7 days: Contact ThemeREX vendor for patch availability timeline; review server access logs for potential exploitation attempts; conduct vulnerability scan of all remaining third-party WordPress themes. Within 30 days: Create comprehensive inventory of all WordPress installations and themes in use; implement application-level controls to restrict PHP object deserialization where possible; establish vendor patch monitoring process for future theme vulnerabilities.

Reisen WordPress Theme CVE-2025-69111

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-17 Patchstack

PHP Deserialization Reisen

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

9.8 CRITICAL

Unauthenticated network-reachable PHP object injection with no user interaction typically yields full confidentiality, integrity, and availability impact via gadget-chain RCE.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 14:48 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.

AnalysisAI

Unauthenticated PHP object injection in the ThemeREX Reisen WordPress theme versions 1.4.1 and earlier allows remote attackers to trigger deserialization of attacker-controlled data without authentication. Successful exploitation can lead to full site compromise via gadget chains commonly available in WordPress core or active plugins, with CVSS rated 9.8 critical. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-502 Deserialization of Untrusted Data flaw affecting the Reisen commercial WordPress theme by ThemeREX (CPE cpe:2.3:a:themerex:reisen). PHP object injection occurs when user-controllable input reaches an unserialize() call (or equivalent), causing PHP to instantiate arbitrary classes and invoke their magic methods such as __wakeup, __destruct, or __toString. In the WordPress ecosystem, such primitives are typically chained with POP (Property-Oriented Programming) gadgets present in WordPress core, popular plugins like WooCommerce, or libraries like Monolog/Guzzle to escalate from object instantiation to file write, SQL injection, or arbitrary code execution. ThemeREX themes have a recurring history of similar deserialization and auth-bypass issues, which contextualizes the severity here.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack entry (https://patchstack.com/database/wordpress/theme/reisen/vulnerability/wordpress-reisen-theme-1-4-1-php-object-injection-vulnerability) documents 1.4.1 as the latest vulnerable version with no fixed version cited. Operators should monitor ThemeREX for an updated Reisen release and upgrade immediately when published; in the interim, deploy a WordPress WAF such as Patchstack or Wordfence with virtual-patching rules for PHP object injection on the Reisen theme endpoints, which adds request inspection overhead but blocks known serialized payloads. As stronger compensating controls, disable or replace the Reisen theme on production sites (side effect: site appearance/functionality breaks until a replacement theme is configured), restrict access to theme AJAX and REST endpoints to authenticated admins via web server rules (side effect: may break legitimate front-end features that rely on those endpoints), and audit installed plugins to remove those known to expose POP gadget chains to reduce the blast radius if injection is triggered.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2025-69111 vulnerability details – vuln.today

Back

Reisen WordPress Theme CVE-2025-69111

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code