Description
Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection.

This issue affects Lagom: from n/a through 2.0.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization flaw in the Lagom WordPress theme, allowing an attacker to inject arbitrary PHP objects during unserialization. This can lead to remote code execution on the affected WordPress site, compromising the confidentiality, integrity, and availability of the site and any data it hosts. The flaw is assigned a CVSS score of 9.8, reflecting its high severity and potential impact.

Affected Systems

The Vulnerable product is Themeton Lagom theme for WordPress. All versions from the earliest release up through version 2.0 are affected; no exact starting release is specified. Any WordPress site using the Lagom theme at or below version 2.0 is potentially impacted.

Risk and Exploitability

A CVSS score of 9.8 indicates a critical vulnerability. EPSS scores are not available, so the public exploitation likelihood is unknown but the high severity suggests a strong incentive to exploit. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through any input that the theme uses to deserialize user‑provided data, such as theme configuration fields or custom input endpoints – this inference is based on the nature of PHP object injection attacks.

Generated by OpenCVE AI on June 18, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Lagom theme to a version newer than 2.0 (or apply the vendor’s patch if presented).
  • If an upgrade is not possible, disable or remove the Lagom theme from the WordPress installation to eliminate the vulnerable codepath.
  • Deploy a web‑application firewall or apply input‑sanitization rules that block malicious serialized payloads targeting PHP’s unserialize function.

Generated by OpenCVE AI on June 18, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeton
Themeton lagom
Wordpress
Wordpress wordpress
Vendors & Products Themeton
Themeton lagom
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0.
Title WordPress Lagom theme <= 2.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themeton Lagom
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:23:12.499Z

Reserved: 2025-09-25T15:34:39.167Z

Link: CVE-2025-60229

cve-icon Vulnrichment

Updated: 2026-06-17T14:22:48.985Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:40Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data