{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68531", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-19T10:17:03.706Z", "datePublished": "2026-02-20T15:46:39.192Z", "dateUpdated": "2026-04-28T20:00:30.218Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "modeltheme-addons-for-wpbakery", "product": "ModelTheme Addons for WPBakery and Elementor", "vendor": "modeltheme", "versions": [{"changes": [{"at": "1.5.6", "status": "unaffected"}], "lessThanOrEqual": "1.5.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:34.847Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Object Injection.<p>This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Object Injection.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:29.460Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/modeltheme-addons-for-wpbakery/vulnerability/wordpress-modeltheme-addons-for-wpbakery-and-elementor-plugin-1-5-6-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress ModelTheme Addons for WPBakery and Elementor plugin < 1.5.6 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:07:20.663515Z", "id": "CVE-2025-68531", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:00:30.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68531", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:07:20.663515Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:07:22.129Z"}}], "cna": {"title": "WordPress ModelTheme Addons for WPBakery and Elementor plugin < 1.5.6 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "modeltheme", "product": "ModelTheme Addons for WPBakery and Elementor", "versions": [{"status": "affected", "changes": [{"at": "1.5.6", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.5.6"}], "packageName": "modeltheme-addons-for-wpbakery", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-02-20T16:43:54.995Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/modeltheme-addons-for-wpbakery/vulnerability/wordpress-modeltheme-addons-for-wpbakery-and-elementor-plugin-1-5-6-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Object Injection.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Object Injection.<p>This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-20T15:46:39.192Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68531", "state": "PUBLISHED", "dateUpdated": "2026-02-24T21:13:05.816Z", "dateReserved": "2025-12-19T10:17:03.706Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:39.192Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Object Injection.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery permite la inyecci\u00f3n de objetos. Este problema afecta a ModelTheme Addons for WPBakery and Elementor: desde n/a hasta &lt; 1.5.6."}], "id": "CVE-2025-68531", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:10.963", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/modeltheme-addons-for-wpbakery/vulnerability/wordpress-modeltheme-addons-for-wpbakery-and-elementor-plugin-1-5-6-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.6)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "ModelTheme Addons for WPBakery and Elementor", "source": "cna", "vendor": "modeltheme"}, "product": "addons_for_wpbakery_and_elementor", "vendor": "modeltheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:39:47.298352+00:00", "value": {"mitigation_remediation": ["Update the ModelTheme Addons for WPBakery and Elementor plugin to version 1.5.6 or newer, which removes the insecure unserialize logic.", "If an update cannot be applied immediately, disable or remove the plugin from the WordPress installation to eliminate the vulnerable code path.", "Implement monitoring of application logs for unexpected PHP unserialize activity and review the plugin's data handling code for any remaining instances of unsanitized deserialization."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The issue affects all WordPress sites that have the ModelTheme Addons for WPBakery and Elementor plugin installed with a version earlier than 1.5.6. The vendor responsible for the product is ModelTheme, and the affected releases are identified by the absence of a specific starting version (n/a) through any release below 1.5.6.", "description_and_impact": "The ModelTheme Addons for WPBakery and Elementor plug\u2011in contains a deserialization flaw that allows an attacker to inject arbitrary PHP objects into the application. The vulnerability is a classic case of insecure deserialization, CWE-502, and can lead to remote code execution or other malicious activity if an attacker is able to supply crafted data to the plugin. The flaw manifests through the plugin's handling of user\u2011supplied data, which is parsed using PHP's native unserialize function without validating or escaping the input.", "risk_and_exploitability": "With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely remote, as any user or attacker who can interact with the plugin\u2014through form submissions, REST API calls, or direct URL manipulation\u2014could inject malicious objects. The lack of an official workaround means organizations should focus on timely patching and disabling the plugin if an upgrade is not possible."}}}}, "created": "2026-02-23T14:45:26.358844+00:00", "updated": "2026-04-27T20:45:12.710280+00:00", "vendors": ["modeltheme", "modeltheme$PRODUCT$addons_for_wpbakery_and_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}