The vulnerability is a deserialization flaw that allows untrusted data to be processed by the PHP unserialize function in the Themify Edmin theme. This flaw can enable an attacker to inject malicious objects, potentially leading to remote code execution or compromise of the WordPress installation. The weakness is identified as CWE-502, which indicates a failure to verify the authenticity or integrity of serialized data before deserialization.

WordPress sites that use the Themify Edmin theme version 2.0.0 or earlier. The affected product is the Themify Edmin theme released by Themify. All installations running a pre‑2.0.0 release are vulnerable until they are upgraded.

The CVSS score of 8.8 reflects a high risk to confidentiality, integrity, and availability, while the EPSS score of less than 1% shows a very low probability of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors include any input mechanism that passes serialized data to the theme – for example, form submissions or API calls that are not properly validated. Should an attacker successfully supply crafted serialized objects, the resultant PHP Object Injection can be leveraged to execute arbitrary code, alter files, or gain full control of the WordPress installation.