External risk intelligence

ThemeREX Addons PHP Object Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-60205

An unauthenticated PHP Object Injection vulnerability exists in ThemeREX Addons, potentially allowing attackers to execute arbitrary code. Confirmation of its presence and reachability within our environment is necessary to assess risk and plan remediation.

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which is typically deployed as part of an internet-facing web application. As a plugin component of a web site, it is commonly accessible via the public internet as part of the standard web request flow.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in ThemeREX Addons, a component used in web applications. This issue, an unauthenticated PHP Object Injection, could allow unauthorized actors to compromise systems without needing any credentials. The main concern is to confirm if this specific technology is in use within our environment.

  • Unauthenticated code injection in a web plugin.
  • Potential for unauthorized system compromise.
  • Confirm relevance and exposure within our systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a website using the affected plugin. Since the vulnerability is unauthenticated, no login is required. This could lead to the execution of arbitrary code on the server, with potential consequences for data confidentiality, integrity, and system availability.

  • No authentication required to attack.
  • Exploited via network requests.
  • Allows arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated PHP Object Injection in ThemeREX Addons could allow an attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the affected WordPress site. This could occur when the plugin processes maliciously crafted data, impacting the integrity and availability of the site and any data it manages.

  • Affected asset: WordPress site.
  • Exposure: Malicious data processing.
  • Consequence: Site compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

For this unauthenticated PHP object injection vulnerability, the platform or application owner is likely responsible for managing the affected WordPress plugin. The first practical step is to confirm the plugin's presence, assess its reachability and business criticality, identify the accountable owner, and then plan remediation based on the identified risk.

  • Platform/Application owners should lead remediation.
  • Verify plugin presence and exposure.
  • Plan risk-based remediation actions.

Supplementary metadata

PCI scan relevance

Yes

CVE-2025-60205 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

An unauthenticated PHP object injection vulnerability in ThemeREX Addons could allow remote code execution, which would cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is ThemeREX Addons?

ThemeREX Addons is a plugin designed for WordPress sites to extend functionality. It provides various tools and features that site administrators use to manage themes and customize website layouts. Because it is a plugin, it integrates directly into the WordPress environment and processes incoming web requests to deliver its intended site features.

What does PHP Object Injection mean for CVE-2025-60205?

This vulnerability is classified as CWE-502, which occurs when an application takes untrusted, user-supplied data and uses it to create an object without proper validation. In the context of CVE-2025-60205, it means the plugin can be tricked into interpreting malicious data as legitimate program instructions, potentially allowing unauthorized actions to run on the underlying server.

How does an attacker trigger this vulnerability?

An attacker triggers this issue by sending a specially crafted network request to the web server where the vulnerable plugin is installed. Because this is an unauthenticated vulnerability, no prior login or account access is necessary. The bug is only triggered when the plugin actively processes the malicious data provided in that request; simply visiting the site without submitting the specific crafted data will not trigger the flaw.

Is my site at risk from this CVE?

According to Halo Surface Signal, this vulnerability affects a WordPress plugin, which is typically part of an internet-facing web application. Since the plugin is part of the standard web request flow, it is generally accessible via the public internet. If your site runs an affected version of ThemeREX Addons, it is likely reachable by an external attacker, making it a high-priority concern for your environment.

What steps should I take if I use ThemeREX Addons?

The first step is to verify whether your environment is running the affected version of the plugin. Once you confirm the software's presence, assess the criticality of the site it supports. Identify the internal owner responsible for the application to plan for updates or mitigation. Focus your efforts on determining the scope of this plugin's use within your infrastructure to prioritize your response effectively.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished