What is the CVSS score of EUVD-2025-17116?

EUVD-2025-17116 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of AncoraThemes Mr. Murphy are affected by EUVD-2025-17116?

AncoraThemes Mr. Murphy WordPress theme versions prior to 1.2.12.1 contain a critical deserialization flaw enabling unauthenticated remote attackers to compromise affected WordPress sites completely,…. A patch is available.

How to fix or mitigate EUVD-2025-17116?

Within 24 hours: Inventory all WordPress installations using AncoraThemes Mr. Murphy theme and document current versions. Within 7 days: Update all affected installations to theme version 1.2.12.1 or later via WordPress admin dashboard or direct download from vendor; verify successful upgrade completion. Within 30 days: Conduct forensic review of WordPress access logs and file integrity checks for the 30 days prior to patching to detect potential exploitation; consider security hardening of WordPress environment (Web Application Firewall, file monitoring, access controls).

AncoraThemes Mr. Murphy EUVD-2025-17116

| CVE-2025-49072 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-06 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:55 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.2.12.1

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17116

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

CVE Published

Jun 06, 2025 - 13:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy allows Object Injection.This issue affects Mr. Murphy: from n/a before 1.2.12.1.

AnalysisAI

Critical deserialization vulnerability in AncoraThemes Mr. Murphy WordPress theme that allows unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). All versions before 1.2.12.1 are vulnerable. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this vulnerability presents an immediate, high-priority threat to affected WordPress installations.

Technical ContextAI

This vulnerability stems from CWE-502: Deserialization of Untrusted Data, a class of flaws where applications deserialize untrusted input without proper validation. The AncoraThemes Mr. Murphy theme likely deserializes user-supplied data (possibly from HTTP requests, cached data, or transients) using PHP's unserialize() function or similar mechanisms without sufficient input validation. This enables Object Injection attacks where attackers craft malicious serialized objects that, when deserialized, trigger unintended code execution through PHP's magic methods (__wakeup, __destruct, __toString) or gadget chains within WordPress/installed libraries. The vulnerability is specific to the Mr. Murphy theme (CPE would be: cpe:2.7:a:ancorathemes:mr_murphy:*:*:*:*:*:wordpress:*:*), affecting WordPress installations using this theme on versions before 1.2.12.1.

EUVD-2025-17116 vulnerability details – vuln.today

Back

AncoraThemes Mr. Murphy EUVD-2025-17116

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Share

External POC / Exploit Code