CVE-2026-25030
Published: 25 March 2026
Summary
CVE-2026-25030 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25030 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Goldish WordPress theme developed by park_of_ideas. The flaw allows Object Injection and affects Goldish versions from n/a through those prior to 3.47.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability enables exploitation by unauthenticated remote attackers over the network with low attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability through object injection.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/goldish/vulnerability/wordpress-goldish-theme-3-47-php-object-injection-vulnerability?_s_id=cve details the issue in the Goldish theme, with mitigation achieved by updating to version 3.47 or later.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15627
Vulnerability details
Deserialization of Untrusted Data vulnerability in park_of_ideas Goldish goldish allows Object Injection.This issue affects Goldish: from n/a through < 3.47.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization/object injection in public-facing WordPress theme directly matches exploitation of internet-exposed web application for initial access and RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the deserialization flaw in Goldish by updating to version 3.47 or later, directly eliminating the vulnerability.
Implements input validation at deserialization points to reject or sanitize untrusted data, preventing object injection in the Goldish WordPress theme.
Provides memory protections such as non-executable memory and ASLR to mitigate arbitrary code execution resulting from successful object injection exploitation.