What is the CVSS score of EUVD-2025-208862?

EUVD-2025-208862 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Themeton Finag are affected by EUVD-2025-208862?

A critical vulnerability in the Themeton Finag WordPress theme (CVE-2025-60237, CVSS 9.8) allows unauthenticated attackers to inject malicious code and completely compromise affected websites.

How to fix or mitigate EUVD-2025-208862?

Within 24 hours: Identify all WordPress installations using Themeton Finag theme versions through 1.5.0 and immediately disable the theme or take affected sites offline. Within 7 days: Implement compensating controls (WAF rules blocking deserialization patterns, network segmentation isolating affected systems) and conduct forensic analysis for signs of compromise. Within 30 days: Replace the vulnerable theme with a patched version once available from the vendor, or migrate to an alternative theme; perform full security audit and credential rotation for compromised systems.

Themeton Finag EUVD-2025-208862

| CVE-2025-60237 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-03-19 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

EUVD ID Assigned

Mar 19, 2026 - 09:22 euvd

EUVD-2025-208862

Analysis Generated

Mar 19, 2026 - 09:22 vuln.today

CVE Published

Mar 19, 2026 - 09:16 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.

AnalysisAI

A deserialization of untrusted data vulnerability in the Themeton Finag WordPress theme allows remote attackers to inject malicious PHP objects without authentication. This affects all versions of Finag through 1.5.0. The vulnerability carries a critical CVSS score of 9.8 due to network-based exploitation requiring no privileges or user interaction, enabling attackers to achieve complete compromise of confidentiality, integrity, and availability.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), where the Finag WordPress theme processes serialized PHP data from untrusted sources without proper validation. PHP object injection occurs when user-controlled serialized strings are passed to the unserialize() function, allowing attackers to instantiate arbitrary objects and trigger magic methods (__wakeup, __destruct, __toString) with attacker-controlled properties. This can lead to remote code execution, SQL injection, or file manipulation depending on available classes in the application. The Finag theme is a WordPress theme product developed by Themeton, and the vulnerability exists in versions up to and including 1.5.0.

RemediationAI

Users of the Themeton Finag WordPress theme should immediately upgrade to a version newer than 1.5.0 if available, or discontinue use of the theme until a security patch is released. Consult the Patchstack vulnerability database entry at https://patchstack.com/database/wordpress/theme/finag/vulnerability/wordpress-finag-theme-1-5-0-php-object-injection-vulnerability?_s_id=cve for the latest patch status and remediation guidance. As an interim mitigation measure, consider implementing web application firewall rules to block requests containing serialized PHP objects (patterns like 'O:' followed by integers indicating object serialization), restrict administrative access to the WordPress installation via IP allowlisting, and monitor server logs for suspicious deserialization attempts. Given the critical nature of this unauthenticated remote code execution vulnerability, priority should be given to removing or replacing the Finag theme if an official patch is not yet available.

EUVD-2025-208862 vulnerability details – vuln.today

Back

Themeton Finag EUVD-2025-208862

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code