{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69329", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:18.800Z", "datePublished": "2026-02-20T15:46:49.874Z", "dateUpdated": "2026-04-28T20:53:08.499Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "prestige", "product": "Prestige", "vendor": "Jthemes", "versions": [{"changes": [{"at": "1.4.1", "status": "unaffected"}], "lessThanOrEqual": "1.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:44.878Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.<p>This issue affects Prestige: from n/a through < 1.4.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.730Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/prestige/vulnerability/wordpress-prestige-theme-1-4-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Prestige theme < 1.4.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:45:41.051599Z", "id": "CVE-2025-69329", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:53:08.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69329", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T18:45:41.051599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:45:53.988Z"}}], "cna": {"title": "WordPress Prestige theme < 1.4.1 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "Jthemes", "product": "Prestige", "versions": [{"status": "affected", "changes": [{"at": "1.4.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.1"}], "packageName": "prestige", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:44.878Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/prestige/vulnerability/wordpress-prestige-theme-1-4-1-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.<p>This issue affects Prestige: from n/a through < 1.4.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:16.898Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69329", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:16.898Z", "dateReserved": "2025-12-31T20:12:18.800Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:49.874Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Jthemes Prestige prestige permite la inyecci\u00f3n de objetos. Este problema afecta a Prestige: desde n/d hasta &lt; 1.4.1."}], "id": "CVE-2025-69329", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:20.173", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/prestige/vulnerability/wordpress-prestige-theme-1-4-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.4.1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Prestige", "source": "cna", "vendor": "Jthemes"}, "product": "prestige", "vendor": "jthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:31:26.371526+00:00", "value": {"mitigation_remediation": ["Upgrade the Prestige theme to version\u202f1.4.1 or later to eliminate the unsafe deserialization endpoint.", "If an upgrade cannot be performed immediately, disable the theme or switch to a different, non\u2011vulnerable theme so the deserialization code cannot be executed.", "Audit the WordPress site for additional instances of PHP unserialize or other unsafe deserialization patterns and apply proper input validation or removal of such code."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the Jthemes Prestige theme on WordPress installations running any version prior to 1.4.1. It does not affect later releases or other themes.", "description_and_impact": "Deserialization of untrusted data in the Prestige theme allows object injection, which can be leveraged to create arbitrary PHP objects that execute attacker\u2011supplied code. This weakness directly permits full control over the server process, compromising confidentiality, integrity, and availability of the affected WordPress installation.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. While the EPSS score is currently less than 1\u202f%, indicating a low probability of widespread exploitation, the flaw is not yet listed in the CISA KEV catalog, meaning it has not yet been widely compromised. Based on the description, it is inferred that an attacker can likely reach the deserialization point via a crafted HTTP request to the theme\u2019s endpoints, but no specific deployment scenario is documented. The lack of a mitigation in the criticality, combined with the CVSS, warrants urgent attention."}}}}, "created": "2026-02-23T14:37:28.958091+00:00", "updated": "2026-04-28T09:45:28.442897+00:00", "vendors": ["jthemes", "jthemes$PRODUCT$prestige", "wordpress", "wordpress$PRODUCT$wordpress"]}