CVE-2025-69301
Published: 20 February 2026
Summary
CVE-2025-69301 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69301 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ThemeGoods PhotoMe WordPress theme, enabling Object Injection. The issue affects PhotoMe versions from n/a through 5.6.11.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability allows remote unauthenticated attackers to exploit it over the network with low complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially leading to full system compromise via arbitrary code execution or other object injection effects.
Patchstack advisories document the vulnerability specifically for the WordPress PhotoMe theme up to version 5.6.11, detailing the PHP Object Injection issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207938
Vulnerability details
Deserialization of Untrusted Data vulnerability in ThemeGoods PhotoMe photome allows Object Injection.This issue affects PhotoMe: from n/a through <= 5.6.11.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated RCE via PHP deserialization/object injection in public-facing WordPress theme.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of the deserialization vulnerability in PhotoMe versions up to 5.6.11, directly eliminating the object injection risk.
Information input validation checks untrusted data before deserialization, preventing malicious object injection in the WordPress theme.
Memory protection safeguards mitigate exploitation of object injection by preventing unauthorized code execution from deserialized objects.