Description
Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw in ThemeREX Addons plugin versions up to 2.36.1.1. This weakness allows an attacker to create or manipulate PHP objects that are later unserialized, potentially enabling the attacker to execute arbitrary code or alter application behavior. The flaw is classified as CWE‑502, indicating a deserialization vulnerability that can lead to code execution and data tampering.

Affected Systems

The affected product is the WordPress ThemeREX Addons plugin from ThemeREX, with all releases at or below version 2.36.1.1. Users running those versions are impacted.

Risk and Exploitability

The CVSS score of 9.8 marks this vulnerability as critical, while the EPSS score is currently unavailable, suggesting no publicly documented exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Because the injection is unauthenticated, an attacker could exploit the flaw by accessing the plugin’s input fields or API endpoints from any user, making the attack vector straightforward and potentially automated. An attacker who succeeds could gain full control over the WordPress site.

Generated by OpenCVE AI on June 18, 2026 at 12:31 UTC.

Remediation

Vendor Solution

Update the WordPress ThemeREX Addons plugin to the latest available version (at least 2.36.2).


OpenCVE Recommended Actions

  • Update the WordPress ThemeREX Addons plugin to version 2.36.2 or newer.
  • Remove or disable the plugin if it is not required for site functionality.
  • Configure the WordPress installation to restrict unauthenticated access to plugin admin areas and monitor logs for suspicious object creation attempts.

Generated by OpenCVE AI on June 18, 2026 at 12:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex themerex Addons
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex themerex Addons
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions.
Title WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Themerex Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:25:13.473Z

Reserved: 2025-09-25T15:28:42.280Z

Link: CVE-2025-60205

cve-icon Vulnrichment

Updated: 2026-06-17T14:25:09.481Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:54Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data