Cyber Posture

CVE-2025-60245

Critical

Published: 06 November 2025

Published
06 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-60245 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WP User Manager WordPress plugin (wp-user-manager), enabling Object Injection. The issue affects the plugin from unspecified initial versions through 2.9.12. Published on 2025-11-06, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, typically through arbitrary object instantiation during deserialization of untrusted data.

Mitigation details are provided in advisories such as the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wp-user-manager/vulnerability/wordpress-wp-user-manager-plugin-2-9-12-php-object-injection-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability via deserialization/object injection directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References