CVE-2026-25360

HighRCE

Published: 25 March 2026

Published

25 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25360 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the deserialization of untrusted data vulnerability by requiring timely patching of the Vex WordPress theme to version 1.2.9 or later.

SI-10 Information Input Validation good match

prevent

Prevents object injection by validating untrusted inputs before deserialization in the vulnerable Vex theme.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Identifies the deserialization vulnerability in the Vex theme through ongoing vulnerability scanning and monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE describes remote exploitation of a public-facing WordPress theme via PHP deserialization/object injection by a low-privileged authenticated user, directly enabling initial access via public app exploitation (T1190) and privilege escalation to arbitrary code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.

Deeper analysisAI

CVE-2026-25360 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Vex WordPress theme developed by rascals, enabling PHP object injection. The issue affects all versions of the Vex theme prior to 1.2.9, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by an authenticated attacker with low privileges, such as a WordPress user with contributor-level access, requiring low attack complexity and no user interaction. Successful exploitation allows object injection, potentially leading to high-impact confidentiality, integrity, and availability violations, including arbitrary code execution, data manipulation, or denial of service on the targeted WordPress site.

Patchstack's advisory details the vulnerability and recommends updating the Vex theme to version 1.2.9 or later as the primary mitigation, which resolves the deserialization flaw. No additional workarounds are specified in the provided references.

Details

CWE(s): CWE-502

CVEs Like This One

CVE-2026-24954Shared CWE-502

CVE-2026-27685Shared CWE-502

CVE-2025-14476Shared CWE-502

CVE-2025-60215Shared CWE-502

CVE-2025-36072Shared CWE-502

CVE-2025-59245Shared CWE-502

CVE-2026-22346Shared CWE-502

CVE-2026-24978Shared CWE-502

CVE-2026-24981Shared CWE-502

CVE-2025-50004Shared CWE-502

References

https://patchstack.com/database/Wordpress/Theme/vex/vulnerability/wordpress-vex-theme-1-2-9-php-object-injection-vulnerability?_s_id=cve
audit@patchstack.com