{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69405", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:23.067Z", "datePublished": "2026-02-20T15:46:58.121Z", "dateUpdated": "2026-04-28T21:00:51.555Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "lorem-ipsum-books-media-store", "product": "Lorem Ipsum | Books & Media Store", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.2.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:54.033Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.<p>This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.202Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/lorem-ipsum-books-media-store/vulnerability/wordpress-lorem-ipsum-books-media-store-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Lorem Ipsum | Books & Media Store theme <= 1.2.11 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:00:24.767788Z", "id": "CVE-2025-69405", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T21:00:51.555Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69405", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:00:24.767788Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:00:26.336Z"}}], "cna": {"title": "WordPress Lorem Ipsum | Books & Media Store theme <= 1.2.11 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "ThemeREX", "product": "Lorem Ipsum | Books & Media Store", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.11"}], "packageName": "lorem-ipsum-books-media-store", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:54.033Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/lorem-ipsum-books-media-store/vulnerability/wordpress-lorem-ipsum-books-media-store-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.<p>This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:31.488Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69405", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:31.488Z", "dateReserved": "2025-12-31T20:13:23.067Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:58.121Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.11."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeREX Lorem Ipsum | Books &amp; Media Store lorem-ipsum-books-media-store permite la inyecci\u00f3n de objetos. Este problema afecta a Lorem Ipsum | Books &amp; Media Store: desde n/a hasta &lt;= 1.2.6."}], "id": "CVE-2025-69405", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:26.417", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/lorem-ipsum-books-media-store/vulnerability/wordpress-lorem-ipsum-books-media-store-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Lorem Ipsum | Books & Media Store", "source": "cna", "vendor": "ThemeREX"}, "product": "lorem_ipsum_|_books_&_media_store", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:10:07.535291+00:00", "value": {"mitigation_remediation": ["Upgrade the Lorem Ipsum | Books & Media Store theme to a version newer than 1.2.11, as newer releases resolve the deserialization flaw.", "If an immediate upgrade is not possible, deactivate or remove the theme until a fix is applied, and verify that no residual settings or files remain.", "Scan the WordPress installation for any unauthorized files or code injected via the theme, and review audit logs for suspicious activity.", "Apply general WordPress hardening measures such as limiting file permissions, disabling file editing from the admin panel, and ensuring that the theme only processes trusted data."], "summary": {"action": "Immediate Patch", "impact": "Object Injection leading to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in the ThemeREX Lorem Ipsum | Books & Media Store WordPress theme for all releases through version 1.2.11. Any WordPress installation that has this theme active and has not upgraded beyond 1.2.11 is vulnerable. The vendor is ThemeREX; the product name is Lorem Ipsum | Books & Media Store.", "description_and_impact": "Deserialization of untrusted data within the Lorem Ipsum | Books & Media Store theme allows an attacker to inject PHP objects. This can result in arbitrary code execution, compromising the confidentiality, integrity, and availability of the affected WordPress site. The weakness is identified as CWE-502.", "risk_and_exploitability": "The CVSS score of 9.8 marks it as critical, while the EPSS score of less than 1% indicates a low but nonzero chance of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation in the wild yet. Attackers can likely exploit the issue remotely by submitting crafted data to the theme\u2019s deserialization logic, possibly via form submissions or upload mechanisms. The absence of a public exploit does not mitigate the high-risk nature implied by the CVSS score."}}}}, "created": "2026-02-23T14:36:52.106227+00:00", "updated": "2026-04-27T20:15:12.271907+00:00", "vendors": ["themerex", "themerex$PRODUCT$lorem_ipsum_|_books_&_media_store", "wordpress", "wordpress$PRODUCT$wordpress"]}