CVE-2025-60228
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-60228 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the designthemes Knowledge Base (kbase) WordPress theme, enabling Object Injection. The issue affects Knowledge Base theme versions from n/a through 2.9 inclusive. Published on 2025-10-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), stemming from the object injection enabled by untrusted deserialization.
Patchstack has issued an advisory documenting the PHP Object Injection vulnerability specifically in Knowledge Base theme version 2.9, available at https://patchstack.com/database/Wordpress/Theme/kbase/vulnerability/wordpress-knowledge-base-theme-2-9-php-object-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Deserialization of Untrusted Data (PHP Object Injection) in a WordPress theme enables remote exploitation of a public-facing web application by authenticated low-privilege users, leading to arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.