{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67997", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:44.501Z", "datePublished": "2026-02-20T15:46:33.519Z", "dateUpdated": "2026-04-28T19:33:15.534Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "travelicious", "product": "Travelicious", "vendor": "BoldThemes", "versions": [{"changes": [{"at": "1.6.7", "status": "unaffected"}], "lessThanOrEqual": "1.6.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:18.228Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.<p>This issue affects Travelicious: from n/a through < 1.6.7.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.This issue affects Travelicious: from n/a through < 1.6.7."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.295Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/travelicious/vulnerability/wordpress-travelicious-theme-1-6-7-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Travelicious theme < 1.6.7 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:59:55.721209Z", "id": "CVE-2025-67997", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:33:15.534Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67997", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:59:55.721209Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:59:57.231Z"}}], "cna": {"title": "WordPress Travelicious theme < 1.6.7 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "BoldThemes", "product": "Travelicious", "versions": [{"status": "affected", "changes": [{"at": "1.6.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.7"}], "packageName": "travelicious", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:18.228Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/travelicious/vulnerability/wordpress-travelicious-theme-1-6-7-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.This issue affects Travelicious: from n/a through < 1.6.7.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.<p>This issue affects Travelicious: from n/a through < 1.6.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.295Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67997", "state": "PUBLISHED", "dateUpdated": "2026-04-28T19:33:15.534Z", "dateReserved": "2025-12-15T10:00:44.501Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:33.519Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.This issue affects Travelicious: from n/a through < 1.6.7."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en BoldThemes Travelicious travelicious permite la inyecci\u00f3n de objetos. Este problema afecta a Travelicious: desde n/a hasta &lt; 1.6.7."}], "id": "CVE-2025-67997", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:06.063", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/travelicious/vulnerability/wordpress-travelicious-theme-1-6-7-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.6.7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Travelicious", "source": "cna", "vendor": "BoldThemes"}, "product": "travelicious", "vendor": "boldthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:51:10.765159+00:00", "value": {"mitigation_remediation": ["Update the Travelicious theme to version 1.6.7 or later, which removes the vulnerable deserialization code.", "Disable any plugins or custom code that may pass user\u2011supplied data to the theme\u2019s deserialization functions as a temporary mitigation.", "Review the theme\u2019s configuration settings to ensure no unintended data is deserialized, and implement input validation wherever raw data is accepted."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the WordPress Travelicious theme with a version earlier than 1.6.7. Vendors and administrators using BoldThemes Travelicious need to verify their theme version; any version that predates 1.6.7 is potentially compromised.", "description_and_impact": "Deserialization of untrusted data in the BoldThemes Travelicious theme allows an attacker to inject malicious PHP objects. This object injection can lead to arbitrary PHP code execution, giving the attacker full control over the affected web server. The flaw arises because the theme processes user\u2011supplied input without proper validation.", "risk_and_exploitability": "With a CVSS score of 9.8, the risk is critical. The EPSS score of less than 1% indicates that, as of now, the likelihood of real\u2011world exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web\u2011based input path that deserializes data, meaning an attacker could remotely trigger the flaw on a publicly accessible site. While the lack of a known exploit keeps the risk theoretical, the severity warrants urgent patching."}}}}, "created": "2026-02-23T14:45:59.780245+00:00", "updated": "2026-04-27T21:00:13.153625+00:00", "vendors": ["boldthemes", "boldthemes$PRODUCT$travelicious", "wordpress", "wordpress$PRODUCT$wordpress"]}