CVE-2025-60216
BoldThemes · Addison
The BoldThemes Addison theme for WordPress contains an insecure deserialization vulnerability that allows unauthenticated remote object injection.
Executive summary
A critical deserialization vulnerability in the BoldThemes Addison theme allows unauthenticated attackers to execute arbitrary code via object injection.
Vulnerability
This flaw stems from the insecure handling of serialized data, which permits unauthenticated attackers to supply malicious objects that the application will deserialize, leading to remote code execution.
Business impact
The 9.8 CVSS score reflects the extreme risk this vulnerability poses to business continuity and data security. An attacker exploiting this flaw could gain full control of the WordPress instance, potentially leading to unauthorized data access, service disruption, or the compromise of administrative credentials.
Remediation
Immediate Action: Update the BoldThemes Addison theme to the latest patched version available from the vendor.
Proactive Monitoring: Monitor server logs for signs of unauthorized execution or unexpected file modifications that typically follow an object injection attack.
Compensating Controls: Implement WAF rules specifically designed to detect and block serialized objects within HTTP requests to mitigate the risk until updates are applied.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the critical nature of this vulnerability, immediate action is required. Organizations using the Addison theme must prioritize the update to the latest version to eliminate the risk of remote code execution.