CVE-2025-60039

Critical

Published: 22 October 2025

Published

22 October 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-60039 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Noisa WordPress theme developed by rascals. It allows Object Injection through the processing of untrusted data and affects Noisa versions from n/a through <= 2.6.0.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), rated as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Unauthenticated attackers with network access can exploit it remotely with low complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability via malicious object injection.

The Patchstack advisory provides further details on this WordPress Noisa theme vulnerability at https://patchstack.com/database/Wordpress/Theme/noisa/vulnerability/wordpress-noisa-theme-2-6-0-php-object-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a critical unauthenticated remote deserialization flaw in a public-facing WordPress theme, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/noisa/vulnerability/wordpress-noisa-theme-2-6-0-php-object-injection-vulnerability?_s_id=cve
audit@patchstack.com