External risk intelligence

EMV Creatify Object Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-60236

A deserialization vulnerability in the EMV Creatify WordPress theme allows for object injection. If reachable, an attacker could exploit this by sending specially crafted data, potentially leading to the execution of malicious code or system compromise. Readers should care because this is a critical flaw in an internet

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

This vulnerability affects a WordPress theme. WordPress themes are commonly deployed as internet-facing web applications, making the underlying code reachable via public network requests.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Creatify WordPress theme that could allow attackers to inject malicious code. While the direct business impact and specific affected data are not yet fully understood, the nature of this flaw means it's important to confirm if your organization utilizes this theme and assess potential exposure.

  • Untrusted data can be injected into the system.
  • Critical flaw found in a widely used WordPress theme.
  • Confirm use and assess potential exposure of this theme.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data over the network to the EMV Creatify application. If this data is deserialized without proper validation, it could allow an attacker to inject malicious objects, potentially leading to system compromise.

  • Unauthenticated network access required.
  • Triggered by deserializing untrusted data.
  • Leads to object injection and system compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to inject arbitrary objects into the system when the EMV Creatify application deserializes untrusted data. This could potentially lead to the execution of malicious code or the compromise of application integrity.

  • Affects application object integrity.
  • Via network deserialization of untrusted data.
  • May lead to arbitrary code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The EMV Creatify WordPress theme's deserialization vulnerability requires immediate attention from teams responsible for web application security and content management systems. The first practical step is to identify all instances of Creatify, confirm their exposure and criticality, and then engage the accountable owner for remediation planning.

  • Application owners and platform teams own the resolution.
  • Verify Creatify's presence and internet exposure.
  • Plan vendor coordination for a fix.

Supplementary metadata

PCI scan relevance

Yes

CVE-2025-60236 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability allows attackers to inject arbitrary objects over the network, potentially leading to complete system compromise. It is relevant to PCI scans due to its high severity and network attack vector.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is EMV Creatify?

EMV Creatify is a theme developed for the WordPress content management system. WordPress themes define the visual appearance and layout of a website, often adding functional components that handle user interactions and data processing behind the scenes. Because these themes run on the web server, any vulnerabilities within their code can directly impact the security and stability of the entire site.

How does CVE-2025-60236 relate to deserialization?

This CVE involves a weakness known as CWE-502, or Deserialization of Untrusted Data. In simple terms, software sometimes takes complex data structures that have been saved or transmitted and turns them back into active program objects. If the application does not verify the safety of this incoming data, an attacker can supply a malicious object that forces the system to perform unauthorized actions or run unintended code.

Do I need to be authenticated to trigger this vulnerability?

No, authentication is not required to trigger this flaw. The vulnerability is triggered when the application processes specially crafted data sent over the network. It is important to note that simply visiting a site or loading standard pages does not necessarily trigger the bug; the system must specifically receive and deserialize untrusted, malicious input provided by an attacker.

Is my site at risk if I use the Creatify theme?

According to Halo Surface Signal, this vulnerability affects a WordPress theme, which are typically deployed as internet-facing web applications. This means the code is often reachable via public network requests, increasing the likelihood that an attacker could reach the vulnerable component. If your site is accessible from the internet, you should prioritize checking if this specific theme is active in your environment.

What are the first steps to handle this security issue?

Start by identifying all websites or staging environments where the Creatify theme is currently installed. Once you have a list of affected instances, confirm whether these sites are connected to the internet. If you find the theme in use, reach out to the site owners or administrators to coordinate a plan for remediation, such as removing the theme or checking for official updates that resolve the object injection risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished