CVE-2025-26873
Published: 27 March 2025
Summary
CVE-2025-26873 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26873 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the shinetheme Traveler WordPress theme. This issue affects Traveler versions from n/a through those prior to 3.2.1.
The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Unauthenticated remote attackers can exploit it over the network with high attack complexity and no user interaction. Successful exploitation enables high impacts on confidentiality, integrity, and availability across a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-1-8-php-object-injection-vulnerability?_s_id=cve details the PHP object injection vulnerability and indicates that updating to Traveler version 3.2.1 or later mitigates the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8520
Vulnerability details
Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler.This issue affects Traveler: from n/a through < 3.2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The PHP object injection (deserialization of untrusted data) vulnerability in a public-facing WordPress theme allows unauthenticated remote attackers to exploit the application over the network, directly mapping to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization vulnerability by requiring timely patching of the Traveler WordPress theme to version 3.2.1 or later.
Validates untrusted input prior to deserialization processing, preventing PHP object injection from malicious serialized data.
Scans systems for vulnerabilities like CVE-2025-26873 in the Traveler theme, identifying exploitable instances before attack.