CVE-2025-60213
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-60213 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Whitebox-Studio Scape WordPress theme, enabling PHP Object Injection. The issue affects Scape versions from unknown initial release through 1.5.13. Published on 2025-10-22, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation via untrusted data deserialization can lead to object injection, allowing attackers to execute arbitrary code, manipulate data, or cause denial of service, depending on the injected objects and server configuration.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-13-php-object-injection-vulnerability?_s_id=cve provides details on this PHP Object Injection vulnerability in the Scape WordPress theme, including recommended mitigations such as updating to a patched version where available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical deserialization flaw in a public-facing WordPress theme, enabling remote unauthenticated arbitrary code execution, directly mapping to exploitation of public-facing applications.