Cyber Posture

CVE-2025-60238

CriticalRCE

Published: 22 October 2025

Published
22 October 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60238 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2025-60238 by requiring timely patching or updating of the vulnerable Universam WordPress plugin versions through 9.04.02.

SI-10 Information Input Validation good match
prevent

Prevents object injection in CVE-2025-60238 by validating untrusted data inputs before deserialization in the universam-demo component.

CM-7 Least Functionality good match
prevent

Eliminates exposure to CVE-2025-60238 by restricting the Universam plugin and its demo component to only essential functionality.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a deserialization flaw in a public-facing WordPress plugin, directly enabling unauthenticated remote exploitation of a public-facing application for RCE and server compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02.

Deeper analysisAI

CVE-2025-60238 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Universam WordPress plugin, specifically the universam-demo component, that enables PHP Object Injection. The issue affects Universam versions from unknown (n/a) through 9.04.02, including version 8.72.14 as noted in advisories. Published on 2025-10-22, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows object injection through untrusted deserialization, potentially leading to high confidentiality, integrity, and availability impacts, such as remote code execution or other severe compromises depending on the injected objects and server configuration.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/universam-demo/vulnerability/wordpress-universam-plugin-8-72-14-php-object-injection-vulnerability?_s_id=cve provides details on the vulnerability in the Universam plugin, including recommendations for mitigation such as updating to a patched version if available or removing the plugin.

Details

CWE(s)
CWE-502

CVEs Like This One

CVE-2025-67617Shared CWE-502
CVE-2026-2020Shared CWE-502
CVE-2025-49386Shared CWE-502
CVE-2026-23549Shared CWE-502
CVE-2026-27971Shared CWE-502
CVE-2025-59287Shared CWE-502
CVE-2024-56291Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2026-27417Shared CWE-502
CVE-2024-10942Shared CWE-502

References