Description
Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection.

This issue affects Creatify: from n/a through 1.5.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data (CWE-502) that allows an attacker to inject malicious PHP objects. When the Creatify theme processes user‑supplied data, the serialized payload is deserialized without validation, giving the attacker the ability to execute arbitrary code on the web server. This flaw can compromise the confidentiality, integrity, and availability of the site and any connected services.

Affected Systems

The Creatify WordPress theme, supplied by EMV, is affected from the earliest released version through 1.5. Every site running any legacy version of the theme prior to the release of a newer fixed version is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of risk and suggests that successful exploitation would provide complete control over the affected server. While the EPSS score is not available, the absence of a KEV listing does not lessen the danger. Based on the description, it is inferred that the flaw could be triggered by an unauthenticated or authenticated user with access to a page that accepts serialized input, suggesting a straightforward HTTP‑based attack vector.

Generated by OpenCVE AI on June 18, 2026 at 13:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Creatify theme to the latest available release that removes the insecure deserialization logic.
  • If an upgrade is not immediately possible, uninstall or replace the theme to eliminate the vulnerable code path.
  • Configure a web application firewall or similar protection to detect and block unserialized payloads before they reach the application layer.

Generated by OpenCVE AI on June 18, 2026 at 13:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Emv
Emv creatify
Wordpress
Wordpress wordpress
Vendors & Products Emv
Emv creatify
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5.
Title WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:41:28.070Z

Reserved: 2025-09-25T15:34:39.168Z

Link: CVE-2025-60236

cve-icon Vulnrichment

Updated: 2026-06-17T14:41:24.491Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:33Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data