CVE-2025-69405
Published: 20 February 2026
Summary
CVE-2025-69405 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69405 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress theme Lorem Ipsum | Books & Media Store (lorem-ipsum-books-media-store) from ThemeREX. Published on 2026-02-20, it enables Object Injection and affects all versions from n/a through 1.2.11 inclusive. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe consequences typical of PHP object injection in WordPress environments.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/lorem-ipsum-books-media-store/vulnerability/wordpress-lorem-ipsum-books-media-store-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve provides details on the vulnerability, including potential patches or workarounds for affected installations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207981
Vulnerability details
Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization/RCE in public-facing WordPress theme directly enables T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-69405 by identifying, reporting, and correcting the deserialization of untrusted data flaw in the Lorem Ipsum WordPress theme.
Validates information inputs to the system, preventing deserialization of malicious untrusted data that enables object injection in the vulnerable theme.
Deploys malicious code protection mechanisms to identify and block code execution resulting from successful object injection exploitation.