CVE-2025-49507: 
WordPress vulnerability analysis and mitigation

A critical deserialization vulnerability (CVE-2025-49507) was discovered in LoftOcean's CozyStay WordPress theme versions before 1.7.1. The vulnerability was reported on May 25, 2025, and publicly disclosed on June 9, 2025. This unauthenticated PHP Object Injection vulnerability affects all versions of CozyStay theme prior to version 1.7.1 (Patchstack).

The vulnerability is classified as a Deserialization of Untrusted Data (CWE-502) issue. It received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

The PHP Object Injection vulnerability could allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The high CVSS score of 9.8 indicates that this vulnerability is highly dangerous and expected to become mass exploited (Patchstack).

Users are strongly advised to update to CozyStay version 1.7.1 or later immediately to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).