CVE-2025-53303
BaseFortify
Publication date: 2025-09-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thememove | thememove_core | 1.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a PHP Object Injection issue in the WordPress ThemeMove Core Plugin up to version 1.4.2. It allows attackers with subscriber-level privileges to inject malicious objects into the application, potentially enabling actions such as code injection, SQL injection, path traversal, denial of service, and other harmful effects. The vulnerability exploits deserialization of untrusted data and falls under the OWASP Top 10 category A3: Injection. [1]
How can this vulnerability impact me? :
The vulnerability can lead to severe impacts including unauthorized code execution, database compromise via SQL injection, file system access through path traversal, denial of service attacks, and other malicious activities depending on the exploitation scenario. Since it requires only subscriber-level privileges to exploit, it poses a high risk of mass exploitation and can severely compromise the security and availability of affected WordPress sites. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the virtual patch (vPatch) provided by Patchstack to block attack attempts until an official fix is released. This virtual patch can be safely applied and tested to protect affected sites immediately. Additionally, consider engaging professional incident response services if your site is already compromised. [1]