CVE-2025-68899
Published: 22 January 2026
Summary
CVE-2025-68899 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68899 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Vivagh WordPress theme developed by designthemes. The flaw enables Object Injection and affects Vivagh versions from n/a through 2.4 inclusive. It was published on 2026-01-22 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited by low-privileged authenticated users over the network with low attack complexity and no user interaction required. Exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, typically through arbitrary object instantiation in PHP that could lead to code execution or other severe effects depending on the deserialized objects.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Theme/vivagh/vulnerability/wordpress-vivagh-theme-2-4-php-object-injection-vulnerability?_s_id=cve documents the PHP Object Injection issue in Vivagh theme version 2.4, providing details for WordPress security practitioners on the affected component.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3974
Vulnerability details
Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through <= 2.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection via untrusted deserialization in a public-facing WordPress theme directly enables remote code execution by authenticated attackers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization vulnerability by requiring timely identification, reporting, and correction of flaws in the Vivagh WordPress theme.
Prevents object injection by enforcing validation of untrusted inputs, such as serialized data processed by the vulnerable theme.
Enables proactive discovery of the PHP object injection vulnerability through regular vulnerability scanning of WordPress themes.