CVE-2025-68541
Published: 20 February 2026
Summary
CVE-2025-68541 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68541 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the BoldThemes Ippsum WordPress theme, which allows Object Injection. This issue affects Ippsum versions from n/a through 1.2.0. Published on 2026-02-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
The vulnerability enables exploitation by a remote, unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation can result in high impacts to confidentiality, integrity, and availability through malicious object injection via untrusted deserialization.
Patchstack has documented the vulnerability in its advisory for the Ippsum WordPress theme version 1.2.0, detailing the PHP Object Injection issue, available at https://patchstack.com/database/Wordpress/Theme/ippsum/vulnerability/wordpress-ippsum-theme-1-2-0-php-object-injection-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208084
Vulnerability details
Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application (WordPress theme) via unauthenticated deserialization/object injection leading to RCE and full CIA impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely flaw remediation through patching the vulnerable Ippsum WordPress theme versions <=1.2.0.
Prevents object injection by enforcing validation of untrusted inputs prior to deserialization in the Ippsum theme.
Identifies the deserialization vulnerability via automated vulnerability scanning of the WordPress theme components.