CVE-2025-60216

Critical

Published: 22 October 2025

Published

22 October 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-60216 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the BoldThemes Addison WordPress theme that allows Object Injection. This issue affects Addison theme versions from n/a through those prior to 1.4.8.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely by unauthenticated attackers with low attack complexity and no user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability.

The Patchstack advisory details the PHP Object Injection vulnerability in the WordPress Addison theme, specifically referencing version 1.4.2, with mitigation achieved by updating to version 1.4.8 or later.

Details

CWE(s): CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-60216 is a high-severity unauthenticated remote deserialization/Object Injection vulnerability in a public-facing WordPress theme, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/addison/vulnerability/wordpress-addison-theme-1-4-2-php-object-injection-vulnerability?_s_id=cve
audit@patchstack.com