CVE-2025-60070

Vulnerability

Overview

CVE-2025-60070 is a critical code injection vulnerability in the Molla WordPress theme (and its bundled Molla plugin) versions up to and including 1.5.13. The flaw stems from improper control of code generation, enabling an attacker to inject arbitrary code into the application. This issue. This is classified as a high-severity issue with a CVSS v3 base score of 6.5, and is expected to become actively exploited in mass campaigns [1].

Exploitation

Method

An attacker can exploit this vulnerability remotely without requiring authentication, leveraging the theme's code generation functionality to inject malicious payloads. The attack vector is network-based, and the complexity is low, making it easy to weaponize. Given that thousands of WordPress installations use this theme, attackers can target any site running a vulnerable version regardless of size or popularity [1].

Impact

Successful exploitation allows a malicious actor to remotely execute arbitrary code on the target website. This could lead to complete site compromise, including data theft, malware distribution, defacement, or further propagation within the hosting environment. The vulnerability is considered highly dangerous and is actively monitored for exploitation at scale [1].

Mitigation

The vendor has released a patched versions. Users are urged to update the Molla theme immediately to a version newer than 1.5.13. If updating is not possible, site owners should contact their hosting provider or a developer to apply a virtual patch or workaround [1].