CVE-2025-60070 MEDIUM

CVE-2025-60070: WordPress Molla - Multipurpose Responsive Shopify theme <= 1.5.13 - Arbitrary Code Execution vulnerability

Vendor The4
Product Molla
Weakness CWE-94 · Code injection
Published December 18, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13.

Explanation of Vulnerability in Simple Terms

02Summary

Molla versions up to 1.5.13 contain a code injection vulnerability that allows attackers to inject and execute arbitrary code. The vulnerability requires specific network conditions and technical setup to exploit, but can affect confidentiality, integrity, and availability across the application. Site administrators should update to a version newer than 1.5.13 as soon as a patch becomes available.

What an attacker can do

03Attacker Capabilities

Inject and execute arbitrary code on the site under specific network conditions.

Potential impact on your site

04Site Impact

Attackers could read sensitive data, modify site content, or disrupt service availability.

Conditions required to exploit

05Prerequisites

Network access; no authentication or user interaction required, but attack complexity is high.

Key dates

06Disclosure timeline

December 18, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE