CVE-2025-60228 HIGH

CVE-2025-60228: WordPress Knowledge Base theme <= 2.9 - PHP Object Injection vulnerability

Vendor Designthemes
Product Knowledge Base
Weakness CWE-502 · Unsafe deserialization
Published October 22, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.

Explanation of Vulnerability in Simple Terms

02Summary

The Knowledge Base product by designthemes contains a deserialization vulnerability in versions 2.9 and earlier. An authenticated user with low privileges can send specially crafted data that the application deserializes without proper validation, allowing them to read sensitive information, modify site data, or disrupt service. No user interaction is required beyond the initial authentication.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or crash the application.

Potential impact on your site

04Site Impact

Any authenticated user can compromise confidentiality, integrity, and availability of your site.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 28, 2026 Record updated