CVE-2025-69122 ThemeREX CVE debrief

Who should care

Administrators and users of the SeaFood Company theme for WordPress, versions <= 1.4, should be aware of this critical vulnerability and take immediate action to update or mitigate the risk.

Technical summary

The CVE-2025-69122 vulnerability is caused by an unauthenticated PHP object injection in the SeaFood Company theme for WordPress, versions <= 1.4. This allows attackers to inject malicious PHP objects, potentially leading to arbitrary code execution. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

high

Recommended defensive actions

• Update the SeaFood Company theme to a version greater than 1.4.
• Apply patches or hotfixes provided by the theme vendor.
• Use a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
• Monitor system logs for suspicious activity.
• Consider using a security plugin or service to detect and mitigate vulnerabilities.
• Limit access to sensitive areas of the WordPress site.
• Regularly update WordPress and installed themes and plugins.

Evidence notes

The vulnerability is reported by Patchstack and listed in the NVD database. The CVE record is available on CVE.org. The vulnerability has a CVSS score of 9.8 and is classified as CWE-502.

Official resources