CVE-2025-60224
📋 TL;DR
This CVE describes a PHP object injection vulnerability in the WordPress Subscribe to Download plugin. Attackers can exploit insecure deserialization to execute arbitrary code, potentially compromising the entire WordPress site. All WordPress sites running vulnerable plugin versions (≤2.0.9) are affected.
💻 Affected Systems
- WordPress Subscribe to Download plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete site takeover, data theft, malware deployment, and server compromise.
Likely Case
Unauthenticated attackers achieve remote code execution, install backdoors, deface sites, or steal sensitive data.
If Mitigated
With proper WAF rules and security monitoring, exploitation attempts are blocked and detected before damage occurs.
🎯 Exploit Status
Public exploit details exist, making this easily weaponizable by attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Subscribe to Download'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Subscribe to Download plugin until patched version is available
wp plugin deactivate subscribe-to-download
WAF rule for deserialization attacks
allAdd web application firewall rule to block PHP object injection attempts
🧯 If You Can't Patch
- Immediately deactivate and remove the Subscribe to Download plugin from all WordPress sites
- Implement strict WAF rules to block deserialization attempts and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Subscribe to Download version. If version ≤2.0.9, you are vulnerable.Check Version:
wp plugin get subscribe-to-download --field=versionVerify Fix Applied:
After update, verify plugin version is ≥2.1.0 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints
- PHP deserialization errors in logs
- Unexpected file creation in wp-content/uploads
Network Indicators:
- HTTP requests containing serialized PHP objects
- Traffic to known exploit patterns for this CVE
SIEM Query:
source="wordpress.log" AND ("subscribe-to-download" OR "CVE-2025-60224") AND ("deserialization" OR "unserialize" OR "object injection")