CVE-2025-54014
Published: 20 August 2025
Summary
CVE-2025-54014 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-54014 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the QuanticaLabs MediCenter - Health Medical Clinic WordPress theme, enabling Object Injection. This issue affects the MediCenter theme versions from n/a through 15.1.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating that unauthenticated remote attackers can exploit it over the network with low complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution or other severe compromises via malicious object deserialization.
The Patchstack advisory provides details on this PHP Object Injection vulnerability in the MediCenter WordPress theme version 15.1, including potential mitigation guidance: https://patchstack.com/database/Wordpress/Theme/medicenter/vulnerability/wordpress-medicenter-health-medical-clinic-15-1-php-object-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28545
Vulnerability details
Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Object Injection.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 15.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote deserialization/RCE in public-facing WordPress theme directly matches exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the deserialization of untrusted data flaw in the MediCenter WordPress theme by requiring timely identification, reporting, and patching.
Mitigates exploitation by enforcing validation and sanitization of untrusted inputs prior to deserialization processing in the application.
Identifies the CVE-2025-54014 vulnerability in the MediCenter theme through regular automated vulnerability scanning of software components.