CVE-2025-60238
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-60238 is a Deserialization of Untrusted Data vulnerability in the universam UNIVERSAM universam-demo WordPress plugin, enabling Object Injection. It affects all versions from n/a through <= 9.03. The CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical nature with potential for high impacts on confidentiality, integrity, and availability. The issue maps to CWE-502.
Unauthenticated remote attackers can exploit this flaw by providing untrusted data for deserialization, allowing arbitrary object injection. Successful exploitation could result in remote code execution, data exfiltration, or full server compromise on vulnerable WordPress installations running the affected plugin versions.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/universam-demo/vulnerability/wordpress-universam-plugin-8-72-14-php-object-injection-vulnerability?_s_id=cve) describes the PHP object injection risk in the universam-demo plugin up to version 8.72.14 (aligning with the CVE's scope through 9.03). It urges updating to patched versions if available, removing the plugin otherwise, and monitoring for signs of exploitation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a deserialization flaw in a public-facing WordPress plugin, directly enabling unauthenticated remote exploitation of a public-facing application for RCE and server compromise.