CVE-2025-60224 — AI Deep Analysis Summary

🚨 **Essence**: Untrusted data deserialization in 'Subscribe to Download' plugin. <br>💥 **Consequences**: Leads to **PHP Object Injection**.…

🛡️ **Root Cause**: **CWE-502** (Deserialization of Untrusted Data).…

📦 **Affected Product**: WordPress Plugin **Subscribe to Download**. <br>🔢 **Versions**: **2.0.9 and earlier**. <br>🏢 **Vendor**: wpshuffle.

🕵️ **Attacker Actions**: <br>• **Remote Code Execution (RCE)** via object injection.…

🔓 **Exploitation Threshold**: **LOW**. <br>• **Network**: Remote (AV:N). <br>• **Complexity**: Low (AC:L). <br>• **Privileges**: None required (PR:N). <br>• **User Interaction**: None required (UI:N).…

📜 **Public Exploit**: **No PoC provided** in the current data. <br>🌐 **References**: PatchStack VDB entries exist, but no specific exploit code is listed in the provided JSON.…

🔍 **Self-Check**: <br>1. Scan for **Subscribe to Download** plugin. <br>2. Verify version is **≤ 2.0.9**. <br>3. Check for **deserialization functions** (`unserialize`) in plugin code handling user input. <br>4.…

🛠️ **Official Fix**: **Yes**. <br>📅 **Published**: 2025-10-22. <br>✅ **Action**: Update the plugin to the latest version immediately. Check vendor (wpshuffle) for patch release notes.

🚧 **No Patch Workaround**: <br>1. **Disable/Deactivate** the plugin immediately if not critical. <br>2. **Remove** the plugin from the WordPress installation. <br>3.…

🔥 **Urgency**: **CRITICAL**. <br>• **CVSS Score**: High (implied by C:H/I:H/A:H). <br>• **Exploitability**: Remote, No Auth, Low Complexity. <br>⚡ **Priority**: **P0**. Patch or disable immediately.…