External risk intelligence

PHP Object Injection in SeaFood Company Theme

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-69122

An unauthenticated PHP object injection vulnerability exists in SeaFood Company software, potentially enabling attackers to execute arbitrary PHP code remotely. This occurs when the application processes untrusted data, leading to the unserialization of malicious PHP objects, which could compromise the integrity and av

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress theme, which is typically deployed as a public-facing web application. Unauthenticated PHP object injection in a web theme allows for remote interaction with the application from the internet by default, consistent with common web-based deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves an unauthenticated PHP object injection flaw in SeaFood Company software, potentially allowing attackers to execute code remotely. The core issue lies in how the software handles serialized data, creating a significant risk for any deployed instances. The main concern at this time is confirming if our organization uses this specific software.

  • Code injection in widely accessible software.
  • Public-facing systems are at risk.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

This vulnerability allows an unauthenticated attacker to inject malicious PHP objects into the SeaFood Company theme. Attackers can exploit this by sending specially crafted requests to a vulnerable website, leading to the injection of these objects. If successful, this could result in a complete compromise of the affected system.

  • No authentication required.
  • Triggered by sending crafted requests.
  • Risk of full system compromise.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated PHP Object Injection in SeaFood Company could allow an attacker to execute arbitrary PHP code. This may occur when the application processes untrusted data in a way that leads to the unserialization of malicious PHP objects, potentially affecting the integrity and availability of the application and its underlying system.

  • Application code and data.
  • Malicious PHP object injection.
  • Code execution and system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in a WordPress theme likely impacts customer-facing websites. Application owners and platform teams should prioritize identifying all instances of the affected theme, assessing their exposure and business criticality, and coordinating with vendor management for remediation.

  • Application owners and platform teams
  • Verify theme deployment and reachability
  • Plan remediation based on exposure

Supplementary metadata

PCI scan relevance

Yes

CVE-2025-69122 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated PHP Object Injection vulnerability in Seafood Company <= 1.4 allows for remote code execution, potentially leading to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is SeaFood Company?

SeaFood Company is a WordPress theme used to manage the visual layout and presentation of websites running on the WordPress content management system. It serves as a structural template that defines how a site appears to visitors. Because it functions within the WordPress environment, it handles various data-processing tasks to render pages, which is where the flaw in version 1.4 and earlier resides.

What does PHP object injection mean for CVE-2025-69122?

This vulnerability is classified as CWE-502: Deserialization of Untrusted Data. In plain terms, the software incorrectly processes incoming data that it expects to be structured as a PHP object. An attacker can manipulate this process to inject their own malicious objects, which the application then inadvertently executes. This bypasses typical security controls, allowing unauthorized commands to run on the server.

How is this vulnerability triggered?

An attacker triggers this by sending a specially crafted HTTP request to a website using the vulnerable theme. Because no authentication is required, the attacker does not need a user account or special permissions to initiate the attack. However, simply visiting the site normally or performing standard administrative actions will not trigger the vulnerability; it requires the specific, malicious data payload designed to exploit the unserialization process.

Is my organization at risk if we use this theme?

Halo Surface Signal indicates that because this is a WordPress theme, it is frequently deployed on internet-facing web servers. If your instance is reachable from the public internet, it falls into the high-risk category for this CVE. Internally hosted sites with restricted access are less likely to be targeted by automated scans, but they remain vulnerable if an attacker gains access to the internal network.

Do I need to take action to secure our systems?

Yes, prioritize identifying every installation of the SeaFood Company theme within your environment. Verify which websites are currently active and confirm their public accessibility. Once identified, work with your team to determine if you can update the theme or if you must temporarily disable it to prevent potential compromise while awaiting a permanent fix from the vendor.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished