Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (Patchstack) · only source for this CVE.
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in Themeum Kirki kirki allows Object Injection.This issue affects Kirki: from n/a through <= 6.0.12.
AnalysisAI
Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, conduct an inventory of all WordPress themes and plugins deployed across your organization to identify which bundle Themeum Kirki through version 6.0.12 using automated scanning tools or manual vendor documentation review. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets r
Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows r
Stored cross-site scripting in the Themeum Kirki WordPress customizer framework (versions through 6.0.11) lets an attack
Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attack
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43377