CVE-2025-54686
Published: 14 August 2025
Summary
CVE-2025-54686 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-54686 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Exertio WordPress theme developed by scriptsbundle. The flaw enables Object Injection and affects Exertio versions from n/a through 1.3.2.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable by unauthenticated remote attackers requiring low complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability.
Patchstack's advisory documents the issue as a PHP Object Injection vulnerability in the WordPress Exertio theme version 1.3.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24708
Vulnerability details
Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio exertio allows Object Injection.This issue affects Exertio: from n/a through <= 1.3.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress application via unauthenticated deserialization/object injection leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization vulnerability by requiring timely patching of the affected Exertio WordPress theme versions up to 1.3.2.
Prevents object injection by validating and sanitizing untrusted input data before deserialization in the PHP-based Exertio theme.
Mitigates exploitation of object injection via memory protections like non-executable memory, reducing impact of deserialized malicious objects.