CVE-2025-60225

WordPress BugsPatrol theme <= 1.5.0 - PHP Object Injection vulnerability

CVSS 9.8 CRITICALEPSS 0.5%CWE-502

In short

The BugsPatrol WordPress theme before version 1.5.1 has a flaw where it processes untrusted data without proper validation, allowing attackers to inject malicious objects into the system. This can lead to remote code execution and full compromise of the website.

Technical detail

The vulnerability exists in unsafe PHP deserialization of untrusted input, allowing remote attackers to instantiate arbitrary objects. No authentication is required; the attack vector is network-based via crafted serialized data. Successful exploitation results in arbitrary code execution with web server privileges.

Summary generated and translated by AI from the official description.

Deserialization of Untrusted Data vulnerability in AncoraThemes BugsPatrol bugspatrol allows Object Injection.This issue affects BugsPatrol: from n/a through <= 1.5.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · BugsPatrol

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/bugspatrol/vulnerability/wordpress-bugspatrol-theme-1-5-0-php-object-injection-vulnerability?_s_id=cve