CVE-2025-60216
Published: 22 October 2025
Summary
CVE-2025-60216 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-60216 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the BoldThemes Addison WordPress theme that allows Object Injection. This issue affects Addison theme versions from n/a through those prior to 1.4.8.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely by unauthenticated attackers with low attack complexity and no user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability.
The Patchstack advisory details the PHP Object Injection vulnerability in the WordPress Addison theme, specifically referencing version 1.4.2, with mitigation achieved by updating to version 1.4.8 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35410
Vulnerability details
Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-60216 is a high-severity unauthenticated remote deserialization/Object Injection vulnerability in a public-facing WordPress theme, directly enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the identified deserialization flaw by patching the BoldThemes Addison WordPress theme to version 1.4.8 or later directly prevents remote unauthenticated exploitation.
Validating untrusted inputs prior to deserialization comprehensively mitigates object injection from untrusted data as exploited in this CVE.
Vulnerability scanning detects the presence of this CWE-502 deserialization flaw in Addison theme versions prior to 1.4.8, enabling risk-based remediation.