CVE-2025-67995
Awaiting Analysis Awaiting Analysis - Queue
Deserialization Vulnerability in LoftOcean PatioTime Allows Object Injection

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in LoftOcean PatioTime patiotime allows Object Injection.This issue affects PatioTime: from n/a through < 2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67995
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
loftocean patiotime to 2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67995 is a PHP Object Injection vulnerability found in the WordPress PatioTime Theme versions prior to 2.1. It allows unauthenticated attackers to inject malicious objects through deserialization of untrusted data, which can lead to various attacks.

  • The vulnerability is classified under OWASP Top 10 A3: Injection.
  • Attackers can potentially execute arbitrary code injection, SQL injection, path traversal, denial of service, and other attacks if a suitable PHP Object Injection POP chain is present.

The issue affects all PatioTime Theme versions below 2.1, with version 2.1 containing the patch to fix this vulnerability.

Impact Analysis

This vulnerability poses a severe security risk with a critical CVSS score of 9.8, indicating a high likelihood of exploitation.

  • Attackers can execute arbitrary code on your website, potentially taking full control of the affected system.
  • It can lead to SQL injection, allowing attackers to manipulate or steal data from your database.
  • Path traversal attacks could expose sensitive files on your server.
  • Denial of service attacks could disrupt the availability of your website.

Overall, exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of your website and its data.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects WordPress PatioTime Theme versions prior to 2.1 and involves PHP Object Injection. Detection typically involves identifying if the vulnerable theme version is in use and monitoring for exploitation attempts.

While specific commands are not provided, you can detect the vulnerability by checking the installed PatioTime Theme version on your WordPress site. For example, you can use WP-CLI commands such as:

  • wp theme list --status=active
  • wp theme get patiotime --field=version

Additionally, monitoring web server logs for suspicious requests that may indicate PHP Object Injection attempts or using security tools that detect exploitation patterns can help identify attacks.

Mitigation Strategies

The primary immediate mitigation step is to update the PatioTime Theme to version 2.1 or later, which contains the necessary patch to fix the vulnerability.

Until the update can be applied, you can use the automatic mitigation rule provided by Patchstack that blocks exploitation attempts, offering rapid protection for affected websites.

It is also recommended to maintain continuous vulnerability mitigation practices and monitor your website for any suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart