The PressGrid – Frontend Publish Reaction & Multimedia Theme contains a deserialization flaw that accepts untrusted data without proper validation. This flaw results in Object Injection (CWE‑502), a vulnerability that could allow an attacker to instantiate malicious PHP objects when the theme processes serialized data. If exploited, the injected objects might trigger the execution of arbitrary PHP code on the host, potentially exposing the entire WordPress installation, compromising data integrity and availability. The CVSS score of 9.8 identifies the issue as critical.

The vulnerability affects all releases of the WordPress PressGrid – Frontend Publish Reaction & Multimedia Theme distributed by themeton, up through version 1.3.1. No newer versions are affected because the bug was introduced before that release.

The CVSS score of 9.8 underscores the high severity of the flaw, while the EPSS score of less than 1% indicates a low current probability of exploitation in the wild. The theme is not listed in the CISA KEV catalog. Based on the description, it is inferred that the vulnerability is triggered by data submitted via the site's frontend, making the attack vector primarily remote through the web interface. If an attacker can send a crafted serialized payload to the theme, the lack of input validation allows the unserialization process to instantiate malicious objects, potentially leading to code execution.