CVE-2025-60205 ThemeREX CVE debrief

Who should care

Administrators and security teams responsible for WordPress installations using ThemeREX Addons versions <= 2.36.1.1 should be aware of this vulnerability. Due to its critical severity and potential for exploitation, immediate attention is required to secure affected installations.

Technical summary

CVE-2025-60205 is an unauthenticated PHP Object Injection vulnerability in ThemeREX Addons. This vulnerability, with a CVSS score of 9.8, allows attackers to inject PHP objects without authentication, potentially leading to code execution, data breaches, or system compromise. The vulnerability affects versions <= 2.36.1.1 of the plugin. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability.

Defensive priority

critical

Recommended defensive actions

• Update ThemeREX Addons to a version beyond 2.36.1.1 immediately.
• Implement web application firewalls (WAFs) to detect and block suspicious traffic.
• Restrict access to the plugin's functionality to authenticated users only.
• Regularly monitor plugin and WordPress core for updates and apply them promptly.
• Consider using security plugins that provide additional protection against object injection attacks.
• Limit the use of PHP object serialization in custom code if possible.
• Enhance logging and monitoring to detect potential exploitation attempts.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail pages offer comprehensive information about the vulnerability. However, specific details about the vendor and affected products are limited due to the 'Unknown Vendor' designation and missing product information.

Official resources