CVE-2025-69079
Published: 22 January 2026
Summary
CVE-2025-69079 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-69079 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ThemeREX Sound | Musical Instruments Online Store WordPress theme, known as musicplace. This issue allows object injection and affects all versions from n/a through 1.6.9. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts.
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables object injection, which could result in high confidentiality, integrity, and availability impacts on the affected system.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/musicplace/vulnerability/wordpress-sound-musical-instruments-online-store-theme-1-6-9-deserialization-of-untrusted-data-vulnerability?_s_id=cve documents this vulnerability in the musicplace WordPress theme.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3929
Vulnerability details
Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection.This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote deserialization/RCE in public-facing WordPress theme maps to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents object injection from deserialization of untrusted data by validating inputs before processing in the WordPress theme.
Remediates the specific deserialization flaw in musicplace theme versions through n/a to 1.6.9 by identifying and patching the vulnerability.
Detects the CVE-2025-69079 vulnerability through scanning and initiates timely remediation to update the affected WordPress theme.