What is the CVSS score of CVE-2025-69127?

CVE-2025-69127 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Plumbing WordPress Theme are affected by CVE-2025-69127?

The ThemeREX Plumbing WordPress theme (versions 1.6 and earlier) contains a critical unauthenticated PHP object injection vulnerability that enables complete site compromise without authentication.

How to fix or mitigate CVE-2025-69127?

Within 24 hours: Audit all WordPress installations to identify ThemeREX Plumbing theme versions 1.6 or earlier and document affected deployments. Within 7 days: Disable the affected theme and replace it with an alternative WordPress theme; deploy WAF rules blocking PHP deserialization patterns. Within 30 days: Monitor for vendor patch release, test in staging environment, and prepare upgrade path for all affected installations.

Plumbing WordPress Theme CVE-2025-69127

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-17 Patchstack

PHP Deserialization Plumbing

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Network-reachable and unauthenticated, but achieving impact requires a usable POP gadget chain in the loaded class graph, raising AC to High; full CIA impact on successful exploitation.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 14:45 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.

Technical ContextAI

PHP Object Injection (CWE-502: Deserialization of Untrusted Data) occurs when user-controlled input is passed to PHP's unserialize() function without validation, allowing attackers to instantiate arbitrary classes and trigger 'magic methods' (__wakeup, __destruct, __toString) during object reconstruction. The affected product per CPE cpe:2.3:a:themerex:plumbing is the Plumbing theme by ThemeREX, a commercial WordPress theme typically used for plumbing/contractor business sites. Exploitability depends on the presence of a POP (Property-Oriented Programming) gadget chain within the theme's own code, bundled libraries (often the ThemeREX Addons plugin), or WordPress core/plugin classes loaded at the time of deserialization.

RemediationAI

No vendor-released patch identified at time of analysis; site operators should monitor ThemeREX for an update beyond version 1.6 and upgrade as soon as it is released, per the Patchstack advisory at https://patchstack.com/database/wordpress/theme/plumbing-parts/vulnerability/wordpress-plumbing-theme-1-6-php-object-injection-vulnerability. In the interim, deploy a WordPress WAF with virtual patching for PHP Object Injection (Patchstack, Wordfence, or equivalent) which can block serialized payloads in request parameters at the cost of occasional false positives on legitimate serialized data. If the theme is not actively required, switch to a maintained theme; if it must remain, restrict access to theme-handled endpoints (typically admin-ajax.php actions and any theme-specific URL handlers) via IP allowlist or HTTP authentication, accepting the trade-off that legitimate front-end functionality relying on those endpoints will break.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2025-69127 vulnerability details – vuln.today

Back

Plumbing WordPress Theme CVE-2025-69127

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code