What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection.This issue affects Tech Life CPT: from n/a through <= 16.4.
CVE-2025-69036
HIGH
CVE-2025-69036: WordPress Tech Life CPT plugin <= 16.4 - PHP Object Injection vulnerability
CVSS base score
8.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Explanation of Vulnerability in Simple Terms
02Summary
Tech Life CPT versions 16.4 and earlier contain a deserialization vulnerability that allows authenticated attackers to execute arbitrary code on the site. The vulnerability exists in how the plugin processes untrusted serialized data without proper validation. An attacker with low-level site access can exploit this to gain full control of the WordPress installation.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the site and take full control of the WordPress installation.
Potential impact on your site
04Site Impact
Complete site compromise possible; attacker can modify content, steal data, install malware, or lock out administrators.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level authenticated account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
January 22, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-68853 WordPress Contact Manager plugin <= 9.1.1 - PHP Object Injection vulnerability
CVE-2025-15117 Dromara Sa-Token SaJdkSerializer.java ObjectInputStream.readObject deserialization
CVE-2025-30889 WordPress Testimonial Slider plugin <= 2.0.13 - PHP Object Injection vulnerability
CVE-2024-31903 IBM Sterling B2B Integrator Standard Edition code execution
CVE-2024-28777 IBM Cognos Controller code execution
