The vulnerability allows an attacker to inject arbitrary PHP objects by deserializing untrusted data provided by the user. This can lead to remote code execution, data theft, or modification of site content. The weakness is a classic PHP object injection scenario, categorized as CWE‑502, where deserialization of untrusted data results in arbitrary code execution or privilege escalation.

WordPress sites using the HotStar – Multi‑Purpose Business Theme from the vendor themeton, specifically any installations of the theme whose version is 1.4 or earlier.

The CVSS score of 9.8 indicates a high severity, while the EPSS score of less than 1% suggests low exploitation probability at the time of analysis. The vulnerability is not currently listed in CISA’s KEV catalog. Potential attackers could exploit the flaw by submitting specially crafted serialized payloads to the theme’s deserialization functions, which are presumably accessible through the theme’s public interface. The scope covers the affected system’s confidentiality, integrity, and availability, as execution of arbitrary code can compromise the entire WordPress installation.