Description
Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions.
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection that does not require authentication. An attacker can send a specially crafted serialized payload to the SeaFood Company theme, causing the WordPress site to deserialize the data and instantiate arbitrary PHP objects. This can lead to remote code execution, data tampering, or escalation of privileges. The weakness is identified as CWE‑502.

Affected Systems

WordPress sites that use the SeaFood Company theme from ThemeREX with version 1.4 or earlier are affected. Any deployment that has not updated past these releases is at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity of impact. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, but the absence from the CISA KEV catalog does not diminish the risk of a successful attack. The likely attack vector is an unauthenticated HTTP request that contains a malicious serialized payload, such as through a form or API endpoint that the theme processes without proper validation.

Generated by OpenCVE AI on June 17, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SeaFood Company theme to the latest version (1.5 or newer) which resolves the object injection flaw.
  • If an upgrade cannot be performed immediately, deactivate or remove the SeaFood Company theme from the WordPress installation to prevent the vulnerability from being exploitable.
  • Audit the WordPress installation for other instances of unserialization on user input, and apply patches or secure coding practices such as input validation, to guard against similar object injection risks.

Generated by OpenCVE AI on June 17, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex seafood Company
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex seafood Company
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions.
Title WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Seafood Company
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:50:38.590Z

Reserved: 2025-12-29T11:19:31.912Z

Link: CVE-2025-69122

cve-icon Vulnrichment

Updated: 2026-06-17T10:50:33.446Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:20Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data