CVE-2025-24779
Published: 16 July 2025
Summary
CVE-2025-24779 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-24779 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the NooTheme Yogi WordPress theme, enabling Object Injection. This issue affects Yogi versions from n/a through less than 2.9.3.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network by low-privileged authenticated users with low attack complexity and no user interaction required. Successful exploitation can result in high impacts to confidentiality, integrity, and availability.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/yogi/vulnerability/wordpress-yogi-2-9-0-php-object-injection-vulnerability?_s_id=cve) details the object injection flaw specific to the PHP implementation in affected Yogi theme versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21599
Vulnerability details
Deserialization of Untrusted Data vulnerability in NooTheme Yogi yogi allows Object Injection.This issue affects Yogi: from n/a through < 2.9.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-exploitable deserialization/object injection in public-facing WordPress theme allows RCE by authenticated users, mapping cleanly to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the deserialization flaw in Yogi theme versions prior to 2.9.3.
Mandates validation of untrusted data inputs to prevent object injection exploitation in the vulnerable WordPress theme.
Provides vulnerability scanning to identify and remediate the specific PHP object injection vulnerability (CVE-2025-24779) in the Yogi theme.