Cyber Posture

CVE-2025-60224

Critical

Published: 22 October 2025

Published
22 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-60224 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin Subscribe to Download by wpshuffle, which allows Object Injection. The issue affects all versions of the plugin from its initial release through 2.0.9.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary object instantiation and related attacks such as remote code execution.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/subscribe-to-download/vulnerability/wordpress-subscribe-to-download-plugin-2-0-9-php-object-injection-vulnerability?_s_id=cve provides details on the vulnerability in Subscribe to Download version 2.0.9 and guidance on mitigation.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a deserialization flaw in a public-facing WordPress plugin exploitable unauthenticated over the network, directly enabling exploitation of public-facing applications for potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References