The WordPress Traveler theme contains a PHP Object Injection flaw driven by deserialization of untrusted data. Attackers can craft malicious serialized payloads that, when processed by the theme, instantiate arbitrary PHP objects. This can lead to remote code execution or unauthorized changes to site content. The weakness falls under CWE‑502, "Deserialization of Untrusted Data".

The flaw affects shinetheme Traveler versions from the earliest released build through any version prior to 3.2.1. Users running version 3.1.8 or earlier are therefore exposed. The problem exists in the core theme code that handles imported data, widget configuration, or other user‑supplied inputs. Consequently, all WordPress sites that host the Traveler theme within this range are potentially insecure, regardless of the site owner’s role level.

The vulnerability has a CVSS score of 9, indicating critical severity. However, its EPSS score of less than 1% suggests that, at present, the probability of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, implying no publicly confirmed exploit is known. The likely attack vector is a remote attacker crafting a malicious serialized string and delivering it to the site via an HTTP request; the theme blindly deserializes it. If successfully exploited, an attacker could execute arbitrary PHP code on the WordPress instance, leading to full system compromise. Administrators should treat this as a high‑risk issue pending remediation.