EUVD-2025-210200Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable deserialization in a WordPress theme with no user interaction; PHP object injection typically yields full confidentiality, integrity, and availability impact via gadget chains.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions.
Articles & Coverage 1
AnalysisAI
Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote attackers to deliver crafted serialized payloads that trigger insecure deserialization within PHP, potentially leading to remote code execution, file manipulation, or full site compromise depending on available gadget chains in the host WordPress stack. Reported by Patchstack and tracked as EUVD-2025-210200, with no public exploit identified at time of analysis.
Technical ContextAI
The flaw is a CWE-502 Deserialization of Untrusted Data weakness in the SeaFood Company commercial WordPress theme published by ThemeREX (CPE cpe:2.3:a:themerex:seafood_company). PHP Object Injection occurs when user-controllable input reaches unserialize() without integrity checks, allowing attacker-supplied serialized objects to instantiate classes whose magic methods (__wakeup, __destruct, __toString) are then invoked. In a WordPress context, the impact is typically amplified by POP (Property-Oriented Programming) gadget chains in WordPress core, common plugins, or libraries like Monolog/Guzzle, which can be chained to achieve file write, SQL execution, or arbitrary code execution.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack listing covers versions ≤1.4 with no fixed version cited in the supplied data. Until ThemeREX publishes a patched release, deactivate and remove the SeaFood Company theme or switch to an alternative theme; trade-off is loss of the theme's design and functionality. Compensating controls: deploy a WAF rule (Patchstack, Wordfence, or equivalent) to block requests containing PHP serialized object markers (e.g., O:\d+: and a:\d+:{) on theme endpoints, with the trade-off of possible false positives on legitimate serialized data; restrict /wp-content/themes/seafood-company/ via web server ACLs if direct endpoints are exposed; and audit installed plugins to reduce available POP gadget chains. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/theme/seafood-company/vulnerability/wordpress-seafood-company-theme-1-4-php-object-injection-vulnerability for a fixed version announcement.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today