{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-60233", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-09-25T15:34:39.168Z", "datePublished": "2026-03-19T08:13:15.424Z", "dateUpdated": "2026-04-28T16:13:58.113Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Zuut", "vendor": "Themeton", "versions": [{"lessThanOrEqual": "1.4.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.<p>This issue affects Zuut: from n/a through 1.4.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:58.113Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/theme/zuut/vulnerability/wordpress-zuut-theme-1-4-2-php-object-injection-vulnerability?_s_id=cve"}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Zuut theme <= 1.4.2 - PHP Object Injection vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:42:06.849165Z", "id": "CVE-2025-60233", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:42:27.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-60233", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T13:42:06.849165Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:42:20.069Z"}}], "cna": {"title": "WordPress Zuut theme <= 1.4.2 - PHP Object Injection vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Themeton", "product": "Zuut", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.4.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/zuut/vulnerability/wordpress-zuut-theme-1-4-2-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.<p>This issue affects Zuut: from n/a through 1.4.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:58.113Z"}}}, "cveMetadata": {"cveId": "CVE-2025-60233", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:13:58.113Z", "dateReserved": "2025-09-25T15:34:39.168Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:13:15.424Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Themeton Zuut permite la inyecci\u00f3n de objetos. Este problema afecta a Zuut: desde n/a hasta 1.4.2."}], "id": "CVE-2025-60233", "lastModified": "2026-04-28T19:34:44.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:16.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/theme/zuut/vulnerability/wordpress-zuut-theme-1-4-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Zuut", "source": "cna", "vendor": "Themeton"}, "product": "zuut", "vendor": "themeton"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-29T00:47:37.366118+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website or the WordPress plugin directory for an updated Zuut theme release that removes the vulnerability.", "If an updated version is available, upgrade the theme to that version immediately.", "If no patch is available yet, consider disabling or deactivating the theme until a fix arrives to prevent potential exploitation."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The defect affects the Zuut theme from Themeton, from the initial release (n/a) through version 1.4.2. All WordPress sites that have the Zuut theme installed and have not applied any mitigation beyond the default codebase are vulnerable.\n", "description_and_impact": "Deserialization of untrusted data in Themeton Zuut theme allows an attacker to perform PHP Object Injection, enabling execution of arbitrary code on the affected WordPress site. The vulnerability stems from improper validation of serialized input, a weakness identified as CWE\u2011502. If exploited, an attacker could gain full access to the web application, compromise data integrity, and potentially pivot to the underlying server.\n", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, indicating critical severity. The EPSS score is < 1%, and KEV indicates it has not been listed. The likely attack vector is remote, with a malicious actor sending crafted serialized data to the theme during a normal request; this inference is based on the nature of object injection in PHP applications.\n"}}}}, "created": "2026-03-20T08:57:10.231510+00:00", "updated": "2026-04-29T01:00:11.344018+00:00", "vendors": ["themeton", "themeton$PRODUCT$zuut", "wordpress", "wordpress$PRODUCT$wordpress"]}