{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69404", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:23.066Z", "datePublished": "2026-02-20T15:46:57.893Z", "dateUpdated": "2026-04-28T21:00:42.344Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "extremestore", "product": "Extreme Store", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.5.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:53.746Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.<p>This issue affects Extreme Store: from n/a through <= 1.5.10.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.10."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.184Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/extremestore/vulnerability/wordpress-extreme-store-theme-1-5-7-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Extreme Store theme <= 1.5.10 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:00:20.713564Z", "id": "CVE-2025-69404", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T21:00:42.344Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69404", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:00:20.713564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:00:22.119Z"}}], "cna": {"title": "WordPress Extreme Store theme <= 1.5.10 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "ThemeREX", "product": "Extreme Store", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.10"}], "packageName": "extremestore", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:53.746Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/extremestore/vulnerability/wordpress-extreme-store-theme-1-5-7-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.10.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.<p>This issue affects Extreme Store: from n/a through <= 1.5.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:31.293Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69404", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:31.293Z", "dateReserved": "2025-12-31T20:13:23.066Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:57.893Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.10."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeREX Extreme Store extremestore permite la inyecci\u00f3n de objetos. Este problema afecta a Extreme Store: desde n/a hasta &lt;= 1.5.7."}], "id": "CVE-2025-69404", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:26.290", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/extremestore/vulnerability/wordpress-extreme-store-theme-1-5-7-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Extreme Store", "source": "cna", "vendor": "ThemeREX"}, "product": "extreme_store", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:11:08.195406+00:00", "value": {"mitigation_remediation": ["Upgrade the Extreme Store theme to version 1.5.11 or later, which resolves the deserialization issue.", "If an upgrade is not immediately possible, deactivate the Extreme Store theme or switch to a secure replacement to eliminate the vulnerable code path.", "Apply WordPress core and plugin updates regularly, and deploy a security plugin configured to monitor for abnormal object deserialization attempts and file changes."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the ThemeREX Extreme Store theme installed and running up to version 1.5.10 are affected. All deployments of this theme, regardless of other configuration or plugins, are potentially vulnerable until the theme is updated beyond the stated maximum affected release.", "description_and_impact": "The vulnerability is a deserialization of untrusted data flaw that enables PHP Object Injection within the ThemeREX Extreme Store WordPress theme. An attacker can craft malicious serialized objects that, when processed by the theme, result in arbitrary code execution on the web server. This type of weakness can compromise the confidentiality, integrity, and availability of the affected website, allowing attackers to read, modify, or delete site data and potentially gain full control over the server.", "risk_and_exploitability": "The CVSS score of 9.8 classifies the flaw as critical. The EPSS score of less than 1% indicates a very low but non-zero probability of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. While the official description does not specify required permissions, the nature of a PHP object injection suggests that a remote attacker can trigger the flaw via crafted input without prior authentication. Exploitation likely requires that the theme's unserialize functionality is invoked on data supplied by an attacker, such as through a form, query parameter, or cookie. Once triggered, the attacker can execute arbitrary PHP code, leading to full compromise of the affected WordPress installation."}}}}, "created": "2026-02-23T14:36:52.952781+00:00", "updated": "2026-04-27T20:15:12.272525+00:00", "vendors": ["themerex", "themerex$PRODUCT$extreme_store", "wordpress", "wordpress$PRODUCT$wordpress"]}