CVE-2025-60221
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-60221 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Captivate Sync WordPress plugin (captivatesync-trade) developed by captivateaudio. The flaw enables Object Injection and affects all versions of Captivate Sync up to and including 3.0.3. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation could allow arbitrary code execution or other severe impacts through the injection of malicious objects during deserialization of untrusted data.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/captivatesync-trade/vulnerability/wordpress-captivate-sync-plugin-3-0-3-php-object-injection-vulnerability?_s_id=cve provides details on this PHP Object Injection vulnerability in the Captivate Sync plugin version 3.0.3, though specific mitigation steps such as patches are referenced there for security practitioners to review.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical deserialization flaw in a public-facing WordPress plugin, enabling unauthenticated remote code execution, directly mapping to exploitation of public-facing applications.