CVE-2025-62035
Published: 06 November 2025
Summary
CVE-2025-62035 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-62035 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the uxper Togo WordPress theme. Published on 2025-11-06, it affects all versions of the Togo theme from n/a through those prior to 1.0.4. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and potential for significant impacts.
An attacker with low privileges, such as an authenticated WordPress user, can exploit this vulnerability remotely without requiring user interaction. Exploitation involves PHP object injection via untrusted deserialization, enabling high confidentiality, integrity, and availability impacts, such as potential remote code execution or data manipulation on the affected site.
The Patchstack advisory details the vulnerability as a PHP object injection issue in the Togo WordPress theme and confirms it was fixed in version 1.0.4. Mitigation requires updating the theme to 1.0.4 or later to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38086
Vulnerability details
Deserialization of Untrusted Data vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization vulnerability in WordPress theme enables remote code execution by low-privilege authenticated users, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching and remediation of known flaws like this deserialization vulnerability fixed in Togo theme version 1.0.4.
Mandates validation of untrusted inputs to block PHP object injection via unsafe deserialization in the WordPress theme.
Enables vulnerability scanning to identify the presence of vulnerable Togo theme versions prior to exploitation.