{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-60237", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-09-25T15:34:39.168Z", "datePublished": "2026-03-19T08:14:27.761Z", "dateUpdated": "2026-03-19T14:55:27.330Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:14:27.761Z"}, "title": "WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "Themeton", "product": "Finag", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "1.5.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.<p>This issue affects Finag: from n/a through 1.5.0.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/finag/vulnerability/wordpress-finag-theme-1-5-0-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:54:39.161883Z", "id": "CVE-2025-60237", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:55:27.330Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-60237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T14:54:39.161883Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:55:20.182Z"}}], "cna": {"title": "WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Themeton", "product": "Finag", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.5.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/finag/vulnerability/wordpress-finag-theme-1-5-0-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.<p>This issue affects Finag: from n/a through 1.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:14:27.761Z"}}}, "cveMetadata": {"cveId": "CVE-2025-60237", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:55:27.330Z", "dateReserved": "2025-09-25T15:34:39.168Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:14:27.761Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0."}], "id": "CVE-2025-60237", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:16.230", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/theme/finag/vulnerability/wordpress-finag-theme-1-5-0-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Finag", "source": "cna", "vendor": "Themeton"}, "product": "finag", "vendor": "themeton"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T09:23:01.815096+00:00", "value": {"mitigation_remediation": ["Update the Finag theme to a version newer than 1.5.0 if one is available.", "If no update exists, disable or remove the Finag theme from the site and replace it with a trusted alternative."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress installations employing the Themeton Finag theme up to and including version 1.5.0 are impacted. The vulnerability applies to all releases from the initial release through 1.5.0, with no newer version mentioned as a safe fix.", "description_and_impact": "The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data in Themeton Finag theme. This weakness (CWE-502) allows a malicious actor to craft input that results in the creation of objects with arbitrary properties, potentially leading to remote code execution or other severe compromise of the site\u2019s integrity, confidentiality, and availability.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity. Although EPSS data is unavailable, the lack of a KEV listing does not reduce the urgency; the high severity and potential remote exploitation suggest that attackers could exploit this without advanced preparation. The likely attack vector is through input that the theme deserializes without adequate validation, which could be supplied via crafted URLs, form submissions, or other mechanisms that reach the theme\u2019s code."}}}}, "created": "2026-03-20T08:57:09.315951+00:00", "updated": "2026-03-20T14:15:29.054901+00:00", "vendors": ["themeton", "themeton$PRODUCT$finag", "wordpress", "wordpress$PRODUCT$wordpress"]}