CVE-2025-68903
Published: 22 January 2026
Summary
CVE-2025-68903 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68903 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the AivahThemes Anona WordPress theme, which allows Object Injection. This issue affects Anona versions from an unspecified initial release through 8.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low attack complexity, and potential for significant impacts on confidentiality, integrity, and availability.
A low-privileged authenticated user, such as a standard registered WordPress user, can exploit the vulnerability remotely without requiring user interaction. Exploitation involves providing untrusted data for deserialization, leading to Object Injection, which enables high-impact outcomes including unauthorized data access, modification, and disruption of services.
The Patchstack advisory provides details on this PHP Object Injection vulnerability in the Anona theme version 8.0; security practitioners should consult https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-php-object-injection-vulnerability?_s_id=cve for mitigation guidance, such as applying patches or upgrading the theme.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3982
Vulnerability details
Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection.This issue affects Anona: from n/a through <= 8.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote authenticated deserialization/object injection in a public-facing WordPress theme directly enables exploitation of the web application for code execution or impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-68903 by requiring identification, reporting, testing, and deployment of patches for the deserialization flaw in the Anona WordPress theme.
Prevents exploitation of the deserialization of untrusted data vulnerability by validating all inputs before processing to block malicious object injection.
Detects the CVE-2025-68903 vulnerability through regular scanning of the Anona theme and triggers remediation to address object injection risks.