The Business plugin for WordPress contains a deserialization bug that allows attackers to inject malicious PHP objects into the application. The vulnerability originates from unvalidated, user‑supplied serialized data being processed by the plugin. Because the plugin deserializes data without rejecting forged input, an attacker can craft a payload that instantiates arbitrary objects, potentially leading to remote code execution or privilege escalation within the WordPress site. This flaw is categorized as CWE‑502, describing deserialization of untrusted data.

Affected systems are WordPress sites running The Business plugin versions from the initial release up through version 1.6.1. The vendor, themeton, has acknowledged that the issue exists in all releases before 1.6.2. Site administrators must determine whether they are using a vulnerable version and plan to upgrade accordingly.

The CVSS score of 9.8 indicates critical severity, and the EPSS score of less than 1 percent shows that currently there is very low anecdotal evidence of exploitation, but the risk remains high due to the critical nature of the flaw and its potential for remote code execution. The vulnerability is not listed in the CISA KEV catalog, but the absence of a KEV status does not reduce the urgency. The likely attack vector is inferred to be through any interface that accepts serialized input from users, such as REST endpoints or plugin configuration pages. No publicly disclosed exploit code is available, but the nature of the flaw makes it straightforward for a determined attacker to construct a payload.