The vulnerability CVE-2025-67997 affects BoldThemes Travelicious prior to version 1.6.7 and is caused by deserialization of untrusted data, enabling object injection attacks. This flaw allows an unauthenticated attacker to remotely execute arbitrary code or manipulate application behavior, resulting in high impact on confidentiality, integrity, and availability. The CVSS v3.1 base score is 9.8, indicating critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Successful exploitation of this vulnerability can lead to full compromise of the affected system, including unauthorized disclosure of sensitive information, modification or deletion of data, and disruption of service. The vulnerability is remotely exploitable without authentication or user interaction, making it highly dangerous if exploited.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor BoldThemes advisories for updates and consider applying any available updates to version 1.6.7 or later once released. Until then, restricting exposure of the affected application to untrusted networks may reduce risk.