CVE-2025-60236

Name of the Vulnerable Software and Affected Versions Creatify versions prior to 1.6

Description A deserialization of untrusted data flaw in the EMV Creatify WordPress theme allows PHP Object Injection. This occurs when attacker-controlled input reaches a PHP deserialization sink, enabling an unauthenticated attacker to inject crafted objects into the application. If paired with a usable gadget chain—a sequence of existing code fragments that can be executed during deserialization—from the theme, an installed plugin, or WordPress core, this can lead to full site compromise. The issue is remotely exploitable without privileges or user interaction.

Recommendations Update to a version newer than 1.5.