Deserialization Vulnerability in Lagom Theme by Themeton
CVE-2025-60229

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Lagom
Vendor: CVE Published:; 17 June 2026

What is CVE-2025-60229?

A deserialization vulnerability in the Lagom theme by Themeton enables attackers to perform object injection. This issue arises when untrusted data is deserialized without proper validation, potentially leading to unauthorized actions or access within WordPress sites. Users are advised to update to the latest version and implement security measures to protect against this risk.

Affected Version(s)

Lagom <= 2.0

References

https://patchstack.com/database/wordpress/theme/lagom/vul...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Sep 25, 2025

Credit

Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity)

CVE-2025-60229 Data

JSON