What is the CVSS score of EUVD-2025-210200?

EUVD-2025-210200 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Which versions of SeaFood Company are affected by EUVD-2025-210200?

The ThemeREX SeaFood Company WordPress theme (versions 1.4 and earlier) contains a critical unauthenticated remote code execution vulnerability affecting any WordPress installation using this theme.

How to fix or mitigate EUVD-2025-210200?

Within 24 hours: Identify all WordPress sites using ThemeREX SeaFood Company theme versions ≤1.4 via admin panel and disable the theme immediately. Switch to an alternative theme from WordPress.org repository. Within 7 days: Scan affected sites for indicators of compromise (unauthorized user accounts, modified files, malicious code). Deploy WAF rules blocking serialized object patterns targeting the theme if available from CDN providers. Within 30 days: Uninstall the vulnerable theme completely and implement theme approval policy requiring themes from only official WordPress.org sources or verified commercial vendors.

SeaFood Company EUVD-2025-210200

| CVE-2025-69122 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-16 Patchstack

PHP Deserialization Seafood Company

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

9.8 CRITICAL

Unauthenticated network-reachable deserialization in a WordPress theme with no user interaction; PHP object injection typically yields full confidentiality, integrity, and availability impact via gadget chains.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 00:00 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions.

Articles & Coverage 1

News Critical PHP Object Injection in ThemeREX SeaFood WordPress Theme - CVE-2025-69122 Jun 17, 2026

AnalysisAI

Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote attackers to deliver crafted serialized payloads that trigger insecure deserialization within PHP, potentially leading to remote code execution, file manipulation, or full site compromise depending on available gadget chains in the host WordPress stack. Reported by Patchstack and tracked as EUVD-2025-210200, with no public exploit identified at time of analysis.

Technical ContextAI

The flaw is a CWE-502 Deserialization of Untrusted Data weakness in the SeaFood Company commercial WordPress theme published by ThemeREX (CPE cpe:2.3:a:themerex:seafood_company). PHP Object Injection occurs when user-controllable input reaches unserialize() without integrity checks, allowing attacker-supplied serialized objects to instantiate classes whose magic methods (__wakeup, __destruct, __toString) are then invoked. In a WordPress context, the impact is typically amplified by POP (Property-Oriented Programming) gadget chains in WordPress core, common plugins, or libraries like Monolog/Guzzle, which can be chained to achieve file write, SQL execution, or arbitrary code execution.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack listing covers versions ≤1.4 with no fixed version cited in the supplied data. Until ThemeREX publishes a patched release, deactivate and remove the SeaFood Company theme or switch to an alternative theme; trade-off is loss of the theme's design and functionality. Compensating controls: deploy a WAF rule (Patchstack, Wordfence, or equivalent) to block requests containing PHP serialized object markers (e.g., O:\d+: and a:\d+:{) on theme endpoints, with the trade-off of possible false positives on legitimate serialized data; restrict /wp-content/themes/seafood-company/ via web server ACLs if direct endpoints are exposed; and audit installed plugins to reduce available POP gadget chains. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/theme/seafood-company/vulnerability/wordpress-seafood-company-theme-1-4-php-object-injection-vulnerability for a fixed version announcement.