CVE-2025-60215

HighRCE

Published: 22 October 2025

Published

22 October 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60215 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly prevents exploitation of the deserialization vulnerability by applying patches to affected Kriya theme versions up to 3.4.

SI-10 Information Input Validation partial match

prevent

Information input validation mitigates object injection by ensuring untrusted data is checked and sanitized before deserialization in the WordPress theme.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability monitoring and scanning identifies the presence of CVE-2025-60215 in deployed Kriya theme instances for timely remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Deserialization of untrusted data (PHP Object Injection) in a public-facing WordPress theme enables remote code execution from low-privileged authenticated access, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deserialization of Untrusted Data vulnerability in designthemes Kriya kriya allows Object Injection.This issue affects Kriya: from n/a through <= 3.4.

Deeper analysisAI

CVE-2025-60215 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Kriya WordPress theme developed by designthemes. The flaw allows Object Injection and affects Kriya versions from n/a through 3.4 inclusive.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. A low-privileged authenticated attacker can exploit it over the network with low complexity and no user interaction required, achieving high impacts on confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this WordPress Kriya theme vulnerability at https://patchstack.com/database/Wordpress/Theme/kriya/vulnerability/wordpress-kriya-theme-3-4-php-object-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-502

CVEs Like This One

CVE-2026-24954Shared CWE-502

CVE-2026-27685Shared CWE-502

CVE-2025-14476Shared CWE-502

CVE-2025-36072Shared CWE-502

CVE-2025-59245Shared CWE-502

CVE-2026-22346Shared CWE-502

CVE-2026-24978Shared CWE-502

CVE-2026-24981Shared CWE-502

CVE-2025-50004Shared CWE-502

CVE-2026-3328Shared CWE-502

References

https://patchstack.com/database/Wordpress/Theme/kriya/vulnerability/wordpress-kriya-theme-3-4-php-object-injection-vulnerability?_s_id=cve
audit@patchstack.com