CVE-2025-52725: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2025-52725) was discovered in pebas CouponXxL WordPress theme affecting versions through 3.0.0. The vulnerability was reported on June 10, 2025, and publicly disclosed on July 1, 2025. This high-severity vulnerability received a CVSS v3.1 base score of 9.8 (Critical) (Patchstack).

The vulnerability is classified as a PHP Object Injection issue, falling under the CWE-502 (Deserialization of Untrusted Data) category. The vulnerability allows for object injection through untrusted data deserialization, which could potentially lead to various attack vectors. The critical CVSS score of 9.8 is based on the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Patchstack).

The vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and other attacks if a proper POP chain is present. Due to its critical severity rating and unauthenticated nature, this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

Users are advised to update to CouponXxL version 3.1.0 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).