Attack Vectors

CVE-2025-60224 is a High-severity vulnerability (CVSS 8.1, vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the Subscribe to Download WordPress plugin (slug: subscribe-to-download) in versions up to and including 2.0.9.

The issue can be reached over the network and is unauthenticated, meaning an attacker does not need a user account to attempt exploitation. While the attack complexity is rated high, this is still a material risk for public-facing sites because it can be attempted repeatedly and at scale.

Security Weakness

The Subscribe to Download plugin is vulnerable to PHP Object Injection due to deserialization of untrusted input in versions <= 2.0.9. In practical terms, this means the plugin may process attacker-controlled data in a way that can create or manipulate PHP objects unexpectedly.

Importantly, there is no known POP (Property-Oriented Programming) chain present in the vulnerable software itself. However, if a usable POP chain exists through another installed plugin or theme, the combination can turn this weakness into much more damaging outcomes.

Remediation: Update Subscribe to Download to version 2.1.0 or any newer patched version.

Technical or Business Impacts

If exploitation becomes possible (for example, due to a POP chain available from another plugin/theme), the potential impacts described for this class of vulnerability include arbitrary file deletion, retrieval of sensitive data, or code execution. For business leaders, this translates into risks such as site outage, content tampering, theft of customer or subscriber information, and potential downstream compromise of connected systems.

From a brand and revenue perspective, the most common business outcomes include lost lead capture, campaign disruption, reduced customer trust, emergency remediation costs, and possible compliance exposure (depending on what data is accessible on the affected WordPress environment).

Similar Attacks (real-world examples): Deserialization and object injection flaws have been used to achieve serious outcomes in other platforms, such as CVE-2015-8562 (Joomla! object injection leading to remote code execution) and CVE-2019-6340 (Drupal REST deserialization issue leading to remote code execution).

Given the unauthenticated nature of CVE-2025-60224 and the possibility of risky plugin/theme combinations, organizations should prioritize the update to Subscribe to Download 2.1.0+, review installed plugins/themes for known gadget chains, and ensure incident-ready backups and monitoring are in place.