Cyber Posture

CVE-2025-60215

High

Published: 22 October 2025

Published
22 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

Security Summary

CVE-2025-60215 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Kriya WordPress theme developed by designthemes. The flaw allows Object Injection and affects Kriya versions from n/a through 3.4 inclusive.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. A low-privileged authenticated attacker can exploit it over the network with low complexity and no user interaction required, achieving high impacts on confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this WordPress Kriya theme vulnerability at https://patchstack.com/database/Wordpress/Theme/kriya/vulnerability/wordpress-kriya-theme-3-4-php-object-injection-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Deserialization of untrusted data (PHP Object Injection) in a public-facing WordPress theme enables remote code execution from low-privileged authenticated access, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References