CVE-2025-59007
Published: 22 October 2025
Summary
CVE-2025-59007 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-59007 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the TF Woo Product Grid Addon For Elementor WordPress plugin (tf-woo-product-grid), which allows Object Injection. The issue affects all versions from n/a through 1.0.1 and was published on 2025-10-22.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability, enabling attackers to inject malicious objects during deserialization.
The Patchstack advisory provides further details on this vulnerability, available at https://patchstack.com/database/Wordpress/Plugin/tf-woo-product-grid/vulnerability/wordpress-tf-woo-product-grid-addon-for-elementor-plugin-1-0-1-deserialization-of-untrusted-data-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35441
Vulnerability details
Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated deserialization/object injection in a public-facing WordPress plugin enables exploitation of the web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization vulnerability by requiring identification, reporting, and correction of the specific flaw in the TF Woo Product Grid Addon plugin.
Prevents object injection by enforcing validation of untrusted data inputs prior to deserialization in the WordPress plugin.
Enables detection of the deserialization vulnerability through regular vulnerability scanning of the system and hosted WordPress applications.