CVE-2025-60236
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2025-60236
EUVD
EUVD-2025-210246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
creatify creatify to 1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60236 is a PHP Object Injection vulnerability found in the WordPress Creatify Theme versions 1.5 and below. This vulnerability arises from the deserialization of untrusted data, allowing attackers to inject malicious objects into the application.

Exploiting this flaw can enable attackers to perform various malicious actions such as code injection, SQL injection, path traversal, and denial of service, provided a suitable POP (Property Oriented Programming) chain exists.

The vulnerability is considered critical with a CVSS score of 9.8, indicating a high risk to affected systems.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, data breaches through SQL injection, disruption of service via denial of service attacks, and unauthorized access to files through path traversal.

Because the vulnerability allows attackers to inject malicious objects, it can compromise the confidentiality, integrity, and availability of your system.

Additionally, the theme has not been updated in over a year and is unlikely to receive an official patch, increasing the risk of exploitation.

Immediate mitigation actions include removing or replacing the theme, or applying Patchstack's mitigation rules to block attacks until an official fix is available.

Detection Guidance

There are no specific detection commands or network/system detection methods provided in the available resources for CVE-2025-60236.

Mitigation Strategies

Immediate mitigation steps for CVE-2025-60236 include removing and replacing the vulnerable Creatify theme entirely or applying a mitigation rule offered by Patchstack to block attacks until an official patch is released.

Simply deactivating the theme does not resolve the security threat unless Patchstack’s mitigation is deployed.

If a patch becomes available in the future, updating the theme to the patched version is advised.

Compliance Impact

The vulnerability in the WordPress Creatify Theme (CVE-2025-60236) allows for critical risks such as code injection, SQL injection, path traversal, and denial of service. These risks can lead to unauthorized access, data breaches, and system compromise.

Such security issues can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to address this vulnerability could result in exposure of sensitive data, leading to potential violations of these regulations and associated legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart