CVE-2025-54001
Published: 05 March 2026
Summary
CVE-2025-54001 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-54001 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ThemeREX Classter WordPress theme that enables PHP Object Injection. Published on 2026-03-05, this issue affects Classter versions from n/a through 2.5.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution depending on the deserialized objects.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/classter/vulnerability/wordpress-classter-theme-2-5-php-object-injection-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208299
Vulnerability details
Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated deserialization in public-facing WordPress theme maps cleanly to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, reporting, and correction of the deserialization flaw in Classter versions through <=2.5.
Mandates validation of untrusted inputs to block malicious serialized data from triggering PHP object injection.
Scans for and remediates vulnerabilities like CVE-2025-54001 in the Classter WordPress theme.