Skip to main content

Plumbing

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2025-69127 CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.

PHP Deserialization Plumbing
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-69127
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.

PHP Deserialization Plumbing
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy