CVE-2025-69108
Deferred Deferred - Pending Action
Unauthenticated PHP Object Injection in Hot Coffee

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2025-69108
EUVD
EUVD-2025-210191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack hot_coffee to 1.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Hot Coffee Theme, versions 1.7 and below, contains a high-priority PHP Object Injection vulnerability (CVE-2025-69108). This flaw allows unauthenticated attackers to inject malicious PHP objects into the application.

If exploited, this vulnerability can lead to code injection, SQL injection, path traversal, denial of service, and other malicious activities, provided a suitable POP (Property Oriented Programming) chain exists.

There is currently no official patch available for this vulnerability, but mitigation rules have been issued to block attacks until a fix is released.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, database compromise through SQL injection, unauthorized file access via path traversal, and denial of service attacks.

Because the vulnerability is unauthenticated and has a very high severity score (9.8), it is likely to be exploited in widespread attacks targeting thousands of websites using the vulnerable theme.

If your website uses the Hot Coffee Theme version 1.7 or below, attackers could take full control of your site, leading to data breaches, service disruption, and potential damage to your reputation.

Detection Guidance

There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.

Mitigation Strategies

Immediate mitigation steps include updating the Hot Coffee theme to a version higher than 1.7 if available, or seeking assistance from your hosting provider or a developer.

Since there is no official patch released yet, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability until an official fix is available.

Taking these steps is advised to prevent exploitation of the PHP Object Injection vulnerability which has a high severity score of 9.8.

Compliance Impact

The vulnerability in the Hot Coffee WordPress theme (versions 1.7 and below) allows unauthenticated PHP Object Injection, which can lead to code execution, SQL injection, path traversal, and denial of service attacks. Such exploits can result in unauthorized access to sensitive data or disruption of services.

Because of these risks, organizations using the vulnerable theme may face challenges in maintaining compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Failure to address this vulnerability could lead to data breaches or service interruptions, potentially resulting in regulatory penalties or loss of trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart